SlideShare a Scribd company logo
1 of 34
Download to read offline
Confidential Customized for Lorem Ipsum LLC Version 1.0
Introducing
Vault
Ramit Surana
Confidential Customized for Lorem Ipsum LLC Version 1.0
TOC
Overview
What is Vault ?
Vault Architecture
Features
Shamir’s Algorithm
Read/Write Token
Read/Write
Multiple Values
Audit
Database
Read Format
Vault UI
Commands
Installation
SSH
Policies
Telemetry
Transit
Vault Plugins
GitHub
Authentication
AWS
Authentication
Policies
Storage
Backend
Community
Use Cases
Overview
● Vault is a simple tool to secure your
credentials and authentication of your
organization.
● It encrypts & provides access to any
secrets.
● Every secret is associated with a lease.
Clients have to renew there secret
within the lease period.
● A secret is anything that you want to
tightly control access to, such as API
keys, passwords, certificates, and more.
Features
1
Secure Secret Storage: Arbitrary key/value
secrets can be stored in Vault. Vault encrypts
these secrets prior to writing them to persistent
storage, so gaining access to the raw storage
isn't enough to access your secrets. Vault can
write to disk, Consul, and more.
2
Dynamic Secrets: Vault can generate secrets
on-demand for some systems, such as AWS or
SQL databases. For example, when an
application needs to access an S3 bucket, it
asks Vault for credentials, and Vault will
generate an AWS keypair with valid
permissions on demand. After creating these
dynamic secrets, Vault will also automatically
revoke them after the lease is up.
3
Leasing and Renewal: All secrets in Vault
have a lease associated with it. At the end of
the lease, Vault will automatically revoke that
secret. Clients are able to renew leases via
built-in renew APIs.
4
Revocation: Vault has built-in support for
secret revocation. Vault can revoke not only
single secrets, but a tree of secrets, for
example all secrets read by a specific user, or
all secrets of a particular type. Revocation
assists in key rolling as well as locking down
systems in the case of an intrusion.
Commands
● Init - Initialize a new Vault server
● List - List data or secrets in Vault
● Token-create - Create a new auth token
● Mounts - Lists mounted backends in
Vault
● Policies - List the policies on the server
● Audit - Lists enabled audit backends in
Vault
● Ssh - Initiate an SSH session
● Rotate - Rotates the backend encryption
key used to persist data
● Unseal/Seal - Unseal/Seal Vault
Vault Use Case Overview
Vault
3 rd Party Tools
SSH
Transit
(Encrypt/Decrypt)
Database
Audit
Vault
How does
Vault Work ?
High level Architecture Overview
Installation
01
Download the binary from
https://www.vaultproject.io/downloads.html
$ chmod +x vault
$ mv vault /usr/local/bin/
$ export VAULT_ADDR='http://127.0.0.1:8200'
Shamir's Algorithm
02
● Basically a form of secret sharing, where a secret is divided
into parts, giving each participant its own unique part,
where some of the parts or all of them are needed in order
to reconstruct the secret.
● Threshold is the number of shares you need at least in order
to recover your secret. You can restore your secret only
when you have more than or equal to the number of
threshold.
● For Vault, we split the master key into 5 shares, any 3 of
which are required to reconstruct the master key.
● For more Info:
http://kimh.github.io/blog/en/security/protect-your-sec
ret-key-with-shamirs-secret-sharing/
Read/Write Token
03
● Store Ramit’s (User) password under the secret/ path prefix:
$ vault write secret/ramit value=SuperSecretPassword
● Store Ramit (User) password and token:
$ vault write secret/ramit value=SuperSecretPassword token=ABCDE12345
● Read Secret for a particular user:
$ vault read secret/ramit
● Read in a particular Format:
$ vault read --format=json secret/ramit (Other format include table, yaml )
Read/Write Multiple Token & Password
04
● Store multiple values for any user :
$ vault write secret/password @data.json
● Read Secret of a user:
$ vault read secret/ramit
{ "key": "ramit5", "value":
"itsasecret1"}
Vault Audit Mechanism
05
● Enable vault audit backend :
$ vault audit-enable file file_path=/var/log/vault_audit.log
● Check the log file using:
$ sudo cat /var/log/vault_audit.log
● Any number of file audit logs can be created by enabling it with different paths.
$ vault audit-enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log
● Can also enable syslog, socket:
$ vault audit-enable syslog
$ vault audit-enable socket
$ vault audit-enable socket address="127.0.0.1:9090" socket_type="tcp"
Vault SSH OTP Usage
06
● Mount ssh at vault
$ vault mount ssh
● Writing SSH Role with User and CIDR
$ vault write ssh/roles/otp_key_role 
key_type=otp 
default_user=ramit 
cidr_list=192.168.x.x/y
● Configure sshd daemon in pam:
$ vim /etc/pam.d/sshd
Vault SSH OTP Usage
● Edit/Add the following lines in the sshd file:
@include common-auth
auth requisite pam_exec.so quiet expose_authtok log=/tmp/vault-ssh.log /opt/vault-ssh-helper
-config=/opt/config.hcl -dev
auth optional pam_unix.so not_set_pass use_first_pass nodelay
● Edit the /etc/ssh/sshd_config
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
● Restart ssh:
$ sudo service sshd restart
● List all users in secret:
$ vault write ssh/creds/otp_key_role ip=192.168.x.x
● Try using ssh with otp from the above output:
$ ssh root@192.168.x.x
Vault Database
07
● Mount MySQL Database
$ vault mount database
● Vault Configure MySQL Connection:
$ vault write database/config/mysql plugin_name=mysql-database-plugin
connection_url="root:<YOUR-DB_PASSWORD>@tcp(127.0.0.1:3306)/"
allowed_roles="readonly"
● Add a role:
$ vault write database/roles/readonly db_name=mysql creation_statements
="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';
GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h"
max_ttl="24h"
● Read the credentials:
$ vault read mysql1/creds/readonly
● mysql-database-plugin
● mysql-aurora-database-plugin
● mysql-rds-database-plugin
● Mysql-legacy-database-plugin
● postgresql-database-plugin
● Mssql-database-plugin
● cassandra-database-plugin
● vault-plugin-database-oracle
● hana-database-plugin
● mongodb-database-plugin
Vault Database
● From the output of above command use
$ sudo mysql -u v-root-readonly-wp7sx5737ry347x1 -pA1a-7q7yxq902pwtyu89
Vault General Token Operations
● Generate Token :
$ vault read --format=json secret/ramit
● Vault authentication :
$ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51
● Vault Revoke Token:
$ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5
Vault UI
● Built using external projects by community.
● Can be run via Docker
● $ sudo docker run -d -p 8000:8000 --name
vault-ui djenriquez/vault-ui
Vault Policies
● List all Policies on Vault:
$ vault policies
● Implementing (acl.hcl) on vault with name (secret):
$ vault policy-write secret acl.hcl
● Validate if the policy is implemented:
$ vault policies
● Delete Policy in Vault:
$ vault policy-delete secret
● Create a new token using a particular policy:
$ vault token-create -policy="secret"
path "sys" {
policy = "deny"
}
path "secret" {
policy = "write"
}
path "secret/foo" {
policy = "read"
}
Vault Telemetry
● Vault agent collects various runtime metrics about the performance of different libraries and subsystems.
● These metrics are aggregated on a 10 second interval and are retained for 1 minute.
● You'll note that log entries are prefixed with the metric type as follows:
[C] is a counter
[G] is a gauge
[S] is a summary
● For more info:
https://www.vaultproject.io/docs/internals/telemetry.html
Vault Transit Encryption
● It handles cryptographic functions on data in-transit.
● It encrypts data from applications while still storing that encrypted data in some primary data store.
● It can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes.
● It allows the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value.
● Mount transit on vault
$ vault mount transit
● create a named encryption key:
$ vault write -f transit/keys/foo
● Validate the key foo
$ vault read transit/keys/foo
Vault Transit Decryption
● Encrypt the Plain text (the quick brown fox)
echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=-
● Decrypt
$ vault write transit/decrypt/foo
ciphertext=vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv
$ echo "dGhlIHF1aWNrIGJyb3duIGZveAo=" | base64 -d
Vault Token
● Generate Token :
$ vault token-create
● Vault authentication :
$ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51
● Vault Revoke Token:
$ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5
Vault Plugins
Vault supports a number of different plugins such as:
● AppRole
● AWS
● Google Cloud
● Kubernetes
● GitHub
● LDAP
● MFA
● Okta
● RADIUS
● TLS Certificates
● Tokens
● Username & Password
Github Authentication
● Vault Auth Github:
$ vault auth-enable github
● Vault Write GitHub Creds:
$ vault write auth/github/config
● With Root
$ vault write auth/github/map/teams/default value=root
● Revoke all Github tokens
$ vault token-revoke -mode=path auth/github
● Disable Github from Vault
$ vault auth-disable github
AWS Dynamic Authentication
● Mount AWS on Vault:
$ vault mount aws
● Vault Write AWS Creds:
$ vault write aws/config/root access_key=ABCDE1234 secret_key=1234ABCDE
● Using IAM Policy in JSON Format with policy.json :
$ vault write aws/roles/deploy policy=@policy.json
● Read & Verify the AWS tokens in Vault:
$ vault read aws/creds/deploy
● Using lease_id parameter from above in the above command:
$ vault revoke <aws/creds/deploy/185e6910-6d36-e9a6-33b3-fc8dcfd4e97c> → lease_id
{
"Version": "2012-10-17",
"Statement": [
{
"Sid":
"Stmt1426528957000",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": [
"*"
]
}
]
}
Vault Storage Backend
● Store multiple values for any user :
$ vim vault-config.hcl
listener "tcp" {
address = "0.0.0.0:8200"
tls_cert_file="/home/ec2-user/.ssl/server.crt"
tls_key_file="/home/ec2-user/.ssl/server.key"
}
backend "s3" {
bucket = "foldername"
access_key = "xxxxxxxxxxxx"
secret_key= "xxxxxxxxxxxxxxxxxxxxxxx"
}
disable_mlock=true
● Read in a particular Format:
$ vault read --format=json secret/ramit (Other format include table, yaml )
● S3
● Dynamodb
● Azure
● CouchDB
● CockroachDB
● Etcd
● Google Cloud
● Swift
● Zookeeper
● MySQL
● FileSystem
● PostgreSQL
Supervisor
● Store multiple values for any user :
$ sudo apt-get install supervisor -y
● Config File:
$ vim /etc/supervisor/supervisord.conf
● List all users in secret:
$ [unix_http_server]`
- change `;chmod=0700` to `chmod=0766`
- add the following: `[program:vault]`
- add `command=vault server -config=/home/ec2-user/vault-config.hcl`
- add `user=ec2-user`
- add `environment=AWS_ACCESS_KEY_ID="<your_access_key_id",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>"`
● Read in a particular Format:
$ sudo touch /etc/init.d/supervisord
Supervisor
● Add Supervisord with chkconfig :
$ sudo chkconfig --add supervisord
● Start Service with supervisord
sudo service supervisord start
supervisorctl
● For more info on supervisor:
https://serversforhackers.com/c/monitoring-processes-with-supervisord
Generating a Self Signed Certificate
● SSL uses asymmetric cryptography, commonly referred to as public key cryptography (PKI).
● With public key cryptography, two keys are created, one public, one private. Anything encrypted with
either key can only be decrypted with its corresponding key.
● Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only
using its corresponding public key, ensuring that the data only could have come from the server.
● Openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It
can also be used to generate self-signed certificates which can be used for testing purposes or internal
usage.
● Make a Directory
$ mkdir .ssl && cd .ssl
● Generate a private key with a password, 1024 bit encrypted
$ openssl genrsa -des3 -out server.key 1024
● Generate a CSR (Certificate Signing Request)
$ openssl req -new -key server.key -out server.csr
Generating a Self Signed Certificate (Part 2)
● Remove passphrase from the key
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key
● Generate a Self-Signed Certificate
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
● Remove Old directory
$ rm server.key.org && cd
Community
Facts
Find more at https://github.com/hashicorp/vault/
Contributors
384+
Commits
6K+
Releases
46
Thank you :)

More Related Content

What's hot

Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architectureYuechuan (Mike) Chen
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scaleAlex Schoof
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesAn Nguyen
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Stenio Ferreira
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips confluent
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...Andrey Devyatkin
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorKangaroot
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseStenio Ferreira
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets ManagementAkeyless
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureBeau Bullock
 

What's hot (20)

HashiCorp's Vault - The Examples
HashiCorp's Vault - The ExamplesHashiCorp's Vault - The Examples
HashiCorp's Vault - The Examples
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
Vault 101
Vault 101Vault 101
Vault 101
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
Overview of secret management solutions and architecture
Overview of secret management solutions and architectureOverview of secret management solutions and architecture
Overview of secret management solutions and architecture
 
Managing secrets at scale
Managing secrets at scaleManaging secrets at scale
Managing secrets at scale
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on KubernetesSecret Management with Hashicorp Vault and Consul on Kubernetes
Secret Management with Hashicorp Vault and Consul on Kubernetes
 
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
 
Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2Vault Open Source vs Enterprise v2
Vault Open Source vs Enterprise v2
 
Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips Kafka Security 101 and Real-World Tips
Kafka Security 101 and Real-World Tips
 
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
2020-02-20 - HashiCorpUserGroup Madring - Integrating HashiCorp Vault and Kub...
 
Hashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public SectorHashicorp Vault - OPEN Public Sector
Hashicorp Vault - OPEN Public Sector
 
Hashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs EnterpriseHashicorp Vault Open Source vs Enterprise
Hashicorp Vault Open Source vs Enterprise
 
Abusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get itAbusing Microsoft Kerberos - Sorry you guys don't get it
Abusing Microsoft Kerberos - Sorry you guys don't get it
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
 
The Rise of Secrets Management
The Rise of Secrets ManagementThe Rise of Secrets Management
The Rise of Secrets Management
 
Getting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: AzureGetting Started in Pentesting the Cloud: Azure
Getting Started in Pentesting the Cloud: Azure
 

Similar to Introducing Vault

[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesMitchell Pronschinske
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021Suresh Rathore
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Growing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at HootsuiteGrowing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at HootsuiteJAmes Atwill
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a servicePino deCandia
 
Installation Openstack Swift
Installation Openstack SwiftInstallation Openstack Swift
Installation Openstack Swiftymtech
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in VaultNeven Rakonić
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-PillageVeilFramework
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsVlad Fedosov
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)Marcel Cattaneo
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environmentTaswar Bhatti
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...Andrey Devyatkin
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Joe Arnold
 

Similar to Introducing Vault (20)

[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New FeaturesVault 1.1: Secret Caching with Vault Agent and Other New Features
Vault 1.1: Secret Caching with Vault Agent and Other New Features
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021MuleSoft_Meetup_#6_Chandigarh_April_2021
MuleSoft_Meetup_#6_Chandigarh_April_2021
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Growing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at HootsuiteGrowing HashiCorp Vault at Hootsuite
Growing HashiCorp Vault at Hootsuite
 
Tatu: ssh as a service
Tatu: ssh as a serviceTatu: ssh as a service
Tatu: ssh as a service
 
Installation Openstack Swift
Installation Openstack SwiftInstallation Openstack Swift
Installation Openstack Swift
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
Hiding secrets in Vault
Hiding secrets in VaultHiding secrets in Vault
Hiding secrets in Vault
 
Defcon - Veil-Pillage
Defcon - Veil-PillageDefcon - Veil-Pillage
Defcon - Veil-Pillage
 
XP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applicationsXP Days 2019: First secret delivery for modern cloud-native applications
XP Days 2019: First secret delivery for modern cloud-native applications
 
NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)NGiNX, VHOSTS & SSL (let's encrypt)
NGiNX, VHOSTS & SSL (let's encrypt)
 
Managing your secrets in a cloud environment
Managing your secrets in a cloud environmentManaging your secrets in a cloud environment
Managing your secrets in a cloud environment
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
 
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
HashiConf Digital 2020: HashiCorp Vault configuration as code via HashiCorp T...
 
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
 

More from Ramit Surana

Using Serverless Architectures to build and provision modern infrastructures​
Using Serverless Architectures to build and provision modern infrastructures​Using Serverless Architectures to build and provision modern infrastructures​
Using Serverless Architectures to build and provision modern infrastructures​Ramit Surana
 
DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​
DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​
DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​Ramit Surana
 
Getting Started with Consul
Getting Started with ConsulGetting Started with Consul
Getting Started with ConsulRamit Surana
 
Building Digital Transaction Systems in the new Banking World
Building Digital Transaction Systems in the new Banking WorldBuilding Digital Transaction Systems in the new Banking World
Building Digital Transaction Systems in the new Banking WorldRamit Surana
 
Building Big Architectures XP Conference 2016
Building Big Architectures XP Conference 2016Building Big Architectures XP Conference 2016
Building Big Architectures XP Conference 2016Ramit Surana
 
Dependency management in golang
Dependency management in golangDependency management in golang
Dependency management in golangRamit Surana
 
Building Big Architectures
Building Big ArchitecturesBuilding Big Architectures
Building Big ArchitecturesRamit Surana
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesRamit Surana
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsRamit Surana
 
Hashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOpsHashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOpsRamit Surana
 
CoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux ContainersCoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux ContainersRamit Surana
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerRamit Surana
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsRamit Surana
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringRamit Surana
 
Introducing Puppet - The faster speed of Automation
Introducing Puppet - The faster speed of AutomationIntroducing Puppet - The faster speed of Automation
Introducing Puppet - The faster speed of AutomationRamit Surana
 
Introducing Chef | An IT automation for speed and awesomeness
Introducing Chef | An IT automation for speed and awesomenessIntroducing Chef | An IT automation for speed and awesomeness
Introducing Chef | An IT automation for speed and awesomenessRamit Surana
 
Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack Ramit Surana
 

More from Ramit Surana (18)

Using Serverless Architectures to build and provision modern infrastructures​
Using Serverless Architectures to build and provision modern infrastructures​Using Serverless Architectures to build and provision modern infrastructures​
Using Serverless Architectures to build and provision modern infrastructures​
 
DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​
DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​
DEPLOYING WORDPRESS BLOG USING DOCKER COMPOSE & ANSIBLE ON AWS​
 
Getting Started with Consul
Getting Started with ConsulGetting Started with Consul
Getting Started with Consul
 
Building Digital Transaction Systems in the new Banking World
Building Digital Transaction Systems in the new Banking WorldBuilding Digital Transaction Systems in the new Banking World
Building Digital Transaction Systems in the new Banking World
 
Building Big Architectures XP Conference 2016
Building Big Architectures XP Conference 2016Building Big Architectures XP Conference 2016
Building Big Architectures XP Conference 2016
 
Dependency management in golang
Dependency management in golangDependency management in golang
Dependency management in golang
 
Building Big Architectures
Building Big ArchitecturesBuilding Big Architectures
Building Big Architectures
 
Achieving CI/CD with Kubernetes
Achieving CI/CD with KubernetesAchieving CI/CD with Kubernetes
Achieving CI/CD with Kubernetes
 
Docker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and toolsDocker for the new Era: Introducing Docker,its components and tools
Docker for the new Era: Introducing Docker,its components and tools
 
Hashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOpsHashicorp: Delivering the Tao of DevOps
Hashicorp: Delivering the Tao of DevOps
 
CoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux ContainersCoreOS: The Inside and Outside of Linux Containers
CoreOS: The Inside and Outside of Linux Containers
 
Introducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by DockerIntroducing Docker Swarm - the orchestration tool by Docker
Introducing Docker Swarm - the orchestration tool by Docker
 
A brief study on Kubernetes and its components
A brief study on Kubernetes and its componentsA brief study on Kubernetes and its components
A brief study on Kubernetes and its components
 
Sysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of MonitoringSysdig - Introducing a new definition of Monitoring
Sysdig - Introducing a new definition of Monitoring
 
Introducing Puppet - The faster speed of Automation
Introducing Puppet - The faster speed of AutomationIntroducing Puppet - The faster speed of Automation
Introducing Puppet - The faster speed of Automation
 
Introducing Chef | An IT automation for speed and awesomeness
Introducing Chef | An IT automation for speed and awesomenessIntroducing Chef | An IT automation for speed and awesomeness
Introducing Chef | An IT automation for speed and awesomeness
 
Canister
Canister Canister
Canister
 
Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack
 

Recently uploaded

Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilVICTOR MAESTRE RAMIREZ
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesShyamsundar Das
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfBrain Inventory
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfTobias Schneck
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024Mind IT Systems
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLAlluxio, Inc.
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native BuildpacksVish Abrams
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsJaydeep Chhasatia
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdfMeon Technology
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmonyelliciumsolutionspun
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Jaydeep Chhasatia
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadIvo Andreev
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptkinjal48
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?AmeliaSmith90
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampVICTOR MAESTRE RAMIREZ
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeNeo4j
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntelliSource Technologies
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyRaymond Okyere-Forson
 

Recently uploaded (20)

Generative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-CouncilGenerative AI for Cybersecurity - EC-Council
Generative AI for Cybersecurity - EC-Council
 
Watermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security ChallengesWatermarking in Source Code: Applications and Security Challenges
Watermarking in Source Code: Applications and Security Challenges
 
Why Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdfWhy Choose Brain Inventory For Ecommerce Development.pdf
Why Choose Brain Inventory For Ecommerce Development.pdf
 
Kawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in TrivandrumKawika Technologies pvt ltd Software Development Company in Trivandrum
Kawika Technologies pvt ltd Software Development Company in Trivandrum
 
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdfARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
ARM Talk @ Rejekts - Will ARM be the new Mainstream in our Data Centers_.pdf
 
Top Software Development Trends in 2024
Top Software Development Trends in  2024Top Software Development Trends in  2024
Top Software Development Trends in 2024
 
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/MLBig Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
Big Data Bellevue Meetup | Enhancing Python Data Loading in the Cloud for AI/ML
 
Streamlining Your Application Builds with Cloud Native Buildpacks
Streamlining Your Application Builds  with Cloud Native BuildpacksStreamlining Your Application Builds  with Cloud Native Buildpacks
Streamlining Your Application Builds with Cloud Native Buildpacks
 
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software TeamsYour Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
Your Vision, Our Expertise: TECUNIQUE's Tailored Software Teams
 
online pdf editor software solutions.pdf
online pdf editor software solutions.pdfonline pdf editor software solutions.pdf
online pdf editor software solutions.pdf
 
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine HarmonyLeveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
Leveraging DxSherpa's Generative AI Services to Unlock Human-Machine Harmony
 
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
Optimizing Business Potential: A Guide to Outsourcing Engineering Services in...
 
Cybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and BadCybersecurity Challenges with Generative AI - for Good and Bad
Cybersecurity Challenges with Generative AI - for Good and Bad
 
Webinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.pptWebinar_050417_LeClair12345666777889.ppt
Webinar_050417_LeClair12345666777889.ppt
 
How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?How Does the Epitome of Spyware Differ from Other Malicious Software?
How Does the Epitome of Spyware Differ from Other Malicious Software?
 
Salesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptxSalesforce AI Associate Certification.pptx
Salesforce AI Associate Certification.pptx
 
Deep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - DatacampDeep Learning for Images with PyTorch - Datacamp
Deep Learning for Images with PyTorch - Datacamp
 
IA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG timeIA Generativa y Grafos de Neo4j: RAG time
IA Generativa y Grafos de Neo4j: RAG time
 
Introduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptxIntroduction-to-Software-Development-Outsourcing.pptx
Introduction-to-Software-Development-Outsourcing.pptx
 
AI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human BeautyAI Embracing Every Shade of Human Beauty
AI Embracing Every Shade of Human Beauty
 

Introducing Vault

  • 1. Confidential Customized for Lorem Ipsum LLC Version 1.0 Introducing Vault Ramit Surana
  • 2. Confidential Customized for Lorem Ipsum LLC Version 1.0 TOC Overview What is Vault ? Vault Architecture Features Shamir’s Algorithm Read/Write Token Read/Write Multiple Values Audit Database Read Format Vault UI Commands Installation SSH Policies Telemetry Transit Vault Plugins GitHub Authentication AWS Authentication Policies Storage Backend Community Use Cases
  • 3. Overview ● Vault is a simple tool to secure your credentials and authentication of your organization. ● It encrypts & provides access to any secrets. ● Every secret is associated with a lease. Clients have to renew there secret within the lease period. ● A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more.
  • 4. Features 1 Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more. 2 Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up. 3 Leasing and Renewal: All secrets in Vault have a lease associated with it. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs. 4 Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.
  • 5. Commands ● Init - Initialize a new Vault server ● List - List data or secrets in Vault ● Token-create - Create a new auth token ● Mounts - Lists mounted backends in Vault ● Policies - List the policies on the server ● Audit - Lists enabled audit backends in Vault ● Ssh - Initiate an SSH session ● Rotate - Rotates the backend encryption key used to persist data ● Unseal/Seal - Unseal/Seal Vault
  • 6. Vault Use Case Overview Vault 3 rd Party Tools SSH Transit (Encrypt/Decrypt) Database Audit Vault
  • 9. Installation 01 Download the binary from https://www.vaultproject.io/downloads.html $ chmod +x vault $ mv vault /usr/local/bin/ $ export VAULT_ADDR='http://127.0.0.1:8200'
  • 10. Shamir's Algorithm 02 ● Basically a form of secret sharing, where a secret is divided into parts, giving each participant its own unique part, where some of the parts or all of them are needed in order to reconstruct the secret. ● Threshold is the number of shares you need at least in order to recover your secret. You can restore your secret only when you have more than or equal to the number of threshold. ● For Vault, we split the master key into 5 shares, any 3 of which are required to reconstruct the master key. ● For more Info: http://kimh.github.io/blog/en/security/protect-your-sec ret-key-with-shamirs-secret-sharing/
  • 11. Read/Write Token 03 ● Store Ramit’s (User) password under the secret/ path prefix: $ vault write secret/ramit value=SuperSecretPassword ● Store Ramit (User) password and token: $ vault write secret/ramit value=SuperSecretPassword token=ABCDE12345 ● Read Secret for a particular user: $ vault read secret/ramit ● Read in a particular Format: $ vault read --format=json secret/ramit (Other format include table, yaml )
  • 12. Read/Write Multiple Token & Password 04 ● Store multiple values for any user : $ vault write secret/password @data.json ● Read Secret of a user: $ vault read secret/ramit { "key": "ramit5", "value": "itsasecret1"}
  • 13. Vault Audit Mechanism 05 ● Enable vault audit backend : $ vault audit-enable file file_path=/var/log/vault_audit.log ● Check the log file using: $ sudo cat /var/log/vault_audit.log ● Any number of file audit logs can be created by enabling it with different paths. $ vault audit-enable -path="vault_audit_1" file file_path=/home/user/vault_audit.log ● Can also enable syslog, socket: $ vault audit-enable syslog $ vault audit-enable socket $ vault audit-enable socket address="127.0.0.1:9090" socket_type="tcp"
  • 14. Vault SSH OTP Usage 06 ● Mount ssh at vault $ vault mount ssh ● Writing SSH Role with User and CIDR $ vault write ssh/roles/otp_key_role key_type=otp default_user=ramit cidr_list=192.168.x.x/y ● Configure sshd daemon in pam: $ vim /etc/pam.d/sshd
  • 15. Vault SSH OTP Usage ● Edit/Add the following lines in the sshd file: @include common-auth auth requisite pam_exec.so quiet expose_authtok log=/tmp/vault-ssh.log /opt/vault-ssh-helper -config=/opt/config.hcl -dev auth optional pam_unix.so not_set_pass use_first_pass nodelay ● Edit the /etc/ssh/sshd_config PasswordAuthentication no ChallengeResponseAuthentication yes UsePAM yes ● Restart ssh: $ sudo service sshd restart ● List all users in secret: $ vault write ssh/creds/otp_key_role ip=192.168.x.x ● Try using ssh with otp from the above output: $ ssh root@192.168.x.x
  • 16. Vault Database 07 ● Mount MySQL Database $ vault mount database ● Vault Configure MySQL Connection: $ vault write database/config/mysql plugin_name=mysql-database-plugin connection_url="root:<YOUR-DB_PASSWORD>@tcp(127.0.0.1:3306)/" allowed_roles="readonly" ● Add a role: $ vault write database/roles/readonly db_name=mysql creation_statements ="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}'; GRANT SELECT ON *.* TO '{{name}}'@'%';" default_ttl="1h" max_ttl="24h" ● Read the credentials: $ vault read mysql1/creds/readonly ● mysql-database-plugin ● mysql-aurora-database-plugin ● mysql-rds-database-plugin ● Mysql-legacy-database-plugin ● postgresql-database-plugin ● Mssql-database-plugin ● cassandra-database-plugin ● vault-plugin-database-oracle ● hana-database-plugin ● mongodb-database-plugin
  • 17. Vault Database ● From the output of above command use $ sudo mysql -u v-root-readonly-wp7sx5737ry347x1 -pA1a-7q7yxq902pwtyu89
  • 18. Vault General Token Operations ● Generate Token : $ vault read --format=json secret/ramit ● Vault authentication : $ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51 ● Vault Revoke Token: $ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5
  • 19. Vault UI ● Built using external projects by community. ● Can be run via Docker ● $ sudo docker run -d -p 8000:8000 --name vault-ui djenriquez/vault-ui
  • 20. Vault Policies ● List all Policies on Vault: $ vault policies ● Implementing (acl.hcl) on vault with name (secret): $ vault policy-write secret acl.hcl ● Validate if the policy is implemented: $ vault policies ● Delete Policy in Vault: $ vault policy-delete secret ● Create a new token using a particular policy: $ vault token-create -policy="secret" path "sys" { policy = "deny" } path "secret" { policy = "write" } path "secret/foo" { policy = "read" }
  • 21. Vault Telemetry ● Vault agent collects various runtime metrics about the performance of different libraries and subsystems. ● These metrics are aggregated on a 10 second interval and are retained for 1 minute. ● You'll note that log entries are prefixed with the metric type as follows: [C] is a counter [G] is a gauge [S] is a summary ● For more info: https://www.vaultproject.io/docs/internals/telemetry.html
  • 22. Vault Transit Encryption ● It handles cryptographic functions on data in-transit. ● It encrypts data from applications while still storing that encrypted data in some primary data store. ● It can also sign and verify data; generate hashes and HMACs of data; and act as a source of random bytes. ● It allows the same key to be used for multiple purposes by deriving a new key based on a user-supplied context value. ● Mount transit on vault $ vault mount transit ● create a named encryption key: $ vault write -f transit/keys/foo ● Validate the key foo $ vault read transit/keys/foo
  • 23. Vault Transit Decryption ● Encrypt the Plain text (the quick brown fox) echo -n "the quick brown fox" | base64 | vault write transit/encrypt/foo plaintext=- ● Decrypt $ vault write transit/decrypt/foo ciphertext=vault:v1:czEwyKqGZY/limnuzDCUUe5AK0tbBObWqeZgFqxCuIqq7A84SeiOq3sKD0Y/KUvv $ echo "dGhlIHF1aWNrIGJyb3duIGZveAo=" | base64 -d
  • 24. Vault Token ● Generate Token : $ vault token-create ● Vault authentication : $ vault auth 8c40f7b4-1380-8a33-8d3b-5efd2dddfe51 ● Vault Revoke Token: $ vault token-revoke fe118e23-6957-fb4e-ab36-8655244851e5
  • 25. Vault Plugins Vault supports a number of different plugins such as: ● AppRole ● AWS ● Google Cloud ● Kubernetes ● GitHub ● LDAP ● MFA ● Okta ● RADIUS ● TLS Certificates ● Tokens ● Username & Password
  • 26. Github Authentication ● Vault Auth Github: $ vault auth-enable github ● Vault Write GitHub Creds: $ vault write auth/github/config ● With Root $ vault write auth/github/map/teams/default value=root ● Revoke all Github tokens $ vault token-revoke -mode=path auth/github ● Disable Github from Vault $ vault auth-disable github
  • 27. AWS Dynamic Authentication ● Mount AWS on Vault: $ vault mount aws ● Vault Write AWS Creds: $ vault write aws/config/root access_key=ABCDE1234 secret_key=1234ABCDE ● Using IAM Policy in JSON Format with policy.json : $ vault write aws/roles/deploy policy=@policy.json ● Read & Verify the AWS tokens in Vault: $ vault read aws/creds/deploy ● Using lease_id parameter from above in the above command: $ vault revoke <aws/creds/deploy/185e6910-6d36-e9a6-33b3-fc8dcfd4e97c> → lease_id { "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1426528957000", "Effect": "Allow", "Action": [ "ec2:*" ], "Resource": [ "*" ] } ] }
  • 28. Vault Storage Backend ● Store multiple values for any user : $ vim vault-config.hcl listener "tcp" { address = "0.0.0.0:8200" tls_cert_file="/home/ec2-user/.ssl/server.crt" tls_key_file="/home/ec2-user/.ssl/server.key" } backend "s3" { bucket = "foldername" access_key = "xxxxxxxxxxxx" secret_key= "xxxxxxxxxxxxxxxxxxxxxxx" } disable_mlock=true ● Read in a particular Format: $ vault read --format=json secret/ramit (Other format include table, yaml ) ● S3 ● Dynamodb ● Azure ● CouchDB ● CockroachDB ● Etcd ● Google Cloud ● Swift ● Zookeeper ● MySQL ● FileSystem ● PostgreSQL
  • 29. Supervisor ● Store multiple values for any user : $ sudo apt-get install supervisor -y ● Config File: $ vim /etc/supervisor/supervisord.conf ● List all users in secret: $ [unix_http_server]` - change `;chmod=0700` to `chmod=0766` - add the following: `[program:vault]` - add `command=vault server -config=/home/ec2-user/vault-config.hcl` - add `user=ec2-user` - add `environment=AWS_ACCESS_KEY_ID="<your_access_key_id",AWS_SECRET_ACCESS_KEY="<your_secret_access_key>"` ● Read in a particular Format: $ sudo touch /etc/init.d/supervisord
  • 30. Supervisor ● Add Supervisord with chkconfig : $ sudo chkconfig --add supervisord ● Start Service with supervisord sudo service supervisord start supervisorctl ● For more info on supervisor: https://serversforhackers.com/c/monitoring-processes-with-supervisord
  • 31. Generating a Self Signed Certificate ● SSL uses asymmetric cryptography, commonly referred to as public key cryptography (PKI). ● With public key cryptography, two keys are created, one public, one private. Anything encrypted with either key can only be decrypted with its corresponding key. ● Thus if a message or data stream were encrypted with the server's private key, it can be decrypted only using its corresponding public key, ensuring that the data only could have come from the server. ● Openssl toolkit is used to generate an RSA Private Key and CSR (Certificate Signing Request). It can also be used to generate self-signed certificates which can be used for testing purposes or internal usage. ● Make a Directory $ mkdir .ssl && cd .ssl ● Generate a private key with a password, 1024 bit encrypted $ openssl genrsa -des3 -out server.key 1024 ● Generate a CSR (Certificate Signing Request) $ openssl req -new -key server.key -out server.csr
  • 32. Generating a Self Signed Certificate (Part 2) ● Remove passphrase from the key $ cp server.key server.key.org $ openssl rsa -in server.key.org -out server.key ● Generate a Self-Signed Certificate $ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt ● Remove Old directory $ rm server.key.org && cd
  • 33. Community Facts Find more at https://github.com/hashicorp/vault/ Contributors 384+ Commits 6K+ Releases 46