Adopting HashiCorp Vault
5 likes765 views
The document outlines best practices for deploying and adopting HashiCorp Vault, focusing on secure secret management and operational efficiency. It covers essential concepts such as centralized capability, scaling solutions, and the importance of proper documentation. Additionally, it highlights the operational roles, infrastructure as code use cases, and strategies for maintaining Vault's functionality over time.
![Transit Key
Officers
Copyright © 2018 HashiCorp ⁄⁄ !19
## Crypto officers
# Create key material, non deletable, non exportable in unencrypted
fashion, only aes-256 or rsa-4096
path "/transit/keys" {
capabilities = ["create", "update"]
allowed_parameters = {
"allow_plaintext_backup" = ["false"]
"type" = ["aes256-gcm96", "rsa-4096"]
"convergent_encryption" = []
"derived" = []
}
}
# List keys
path "/transit/keys" {
capabilities = ["list"]
}
# Rotate Key
path “/transit/keys/foo/rotate" {
capabilities = ["create"]
}](https://image.slidesharecdn.com/adoptingvault-190207110808/85/Adopting-HashiCorp-Vault-19-320.jpg)
![Transit
Consumers
Copyright © 2018 HashiCorp ⁄⁄ !20
## Consumers
# Encrypt information
path "/transit/encrypt/keyname" {
capabilities = ["create"]
}
# Decrypt information
path "/transit/decrypt/keyname" {
capabilities = ["create"]
}
# Rewrap information
path "/transit/rewrap/keyname" {
capabilities = ["create"]
}](https://image.slidesharecdn.com/adoptingvault-190207110808/85/Adopting-HashiCorp-Vault-20-320.jpg)
Adopting HashiCorp Vault
- 1. Copyright © 2018 HashiCorp Adopting HashiCorp Vault Deployment, adoption and beyond. Version: 1119.18
- 2. Nicolas Corrarello Regional Director, Solutions Engineering Whoami Copyright © 2018 HashiCorp ⁄⁄ Vault open source contributor 2+ years in HashiCorp Can’t honestly remember when I started using HashiCorp tools !2 Helped operationalise a number of large deployments ncorrare nicolas@hashicorp.com
- 3. Large scale Vault deployments Centralised capability, consumed by many groups What are we talking about? Copyright © 2018 HashiCorp ⁄⁄ 1 2 !3 No wire-boarding required Local and multi-geo scaling solutions 3 Fully supported and up to best practice 4 No friction 5 Vault as a capability, not a tool Masking a problem vs addressing it 6 Pragmatic vs. Dogmatic Sanely running open source vs letting HashiCorp solve the problem for you 7 Properly document and HashiCorp sanctioned Yay! Documentation!
- 4. Copyright © 2018 HashiCorp ⁄ Day 0: Vault what?? !4
- 5. secret /ˈsiːkrɪt/ Copyright © 2018 HashiCorp ⁄ !5 adjective not known or seen or not meant to be known or seen by others."how did you guess I'd got a secret plan?" synonyms: 1.confidential, strictly confidential, top secret, classified, restricted, unrevealed, undisclosed, unpublished, untold, unk nown, uncommunicated, behind someone's back, under wraps, unofficial, off the record, not for publication/circulation, not to be made public, not to be disclosed; More noun something that is kept or meant to be kept unknown or unseen by others."a state secret" synonyms: 1.confidential matter, confidence, private affair, skeleton in the cupboard, ”he just can't keep a secret” origin late Middle English: from Old French, from Latin secretus (adjective) ‘separate, set apart’, from the verb secernere, from se- ‘apart’ + cernere ‘sift’. / DAY ZERO
- 6. Keeping secrets Copyright © 2018 HashiCorp ⁄ !6 API Audit Static Secrets Dynamic Secrets EaaS LDAP / AD GitHub Okta MFA / Radius AWS / Azure / GCP Kubernetes TLS JWT AppRole Identity “What kind of secret can I access?” “To do what?” Policy & Governance “Under what conditions?” MySQL / PostgreSQL Oracle / MSSQL / SAP Hana Cassandra / MongoDB Cloud (AWS / GCP / Azure) SSH / AD PKI Encrypt / Decrypt Sign / Verify HMAC / Hash Entropy / DAY ZERO
- 7. Vault Cryptographic Model So what encrypts what now? Copyright © 2018 HashiCorp ⁄ !7/ DAY ZERO Transport - TLS 1.2 or higher Storage - AES 256 B A R R I E R Storage Key Master Key Seal
- 8. Single Site HA Deployment Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !8
- 9. Multi-Site HA Deployment Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !9
- 10. Copyright © 2018 HashiCorp ⁄ Day One: Let’s get it running !10
- 11. Immutable is preferred More secure, less prone to having someone SSH into the system and poke memory Installing Vault Copyright © 2018 HashiCorp ⁄⁄ 1 2 !11 Configuration management helps Roles / modules / cookbooks available in your nearest registry 3 SELinux is not just for disabling 4 Vault is released quarterly, with minor releases monthly 5 Consul can help with Load Balancing Patterns available in our deployment guide 6 Telemetry & Audit Bring your ELK 7 Backup / Restore
- 12. Individual node failure In case of an individual node failure, or up to two node failures, the solution will continue to run without operator intervention.Recovery Scenarios Copyright © 2018 HashiCorp ⁄⁄ 1 2 !12 Cluster Failure If the Vault cluster fails, it can be reprovisioned using the same Storage Backend configuration. 3 Consul node failure In case of an individual node failure, or up to two node failures, the solution will continue to run without operator intervention. 4 Consul quorum loss If the Consul cluster were to lose quorum, there are alternatives to regain service availability, although the recommended approach from an RTO/RPO perspective is to fail over to a DR Cluster or promote a Performance Replica. 5 Seal key failure If the Seal Key was to be deleted or unavailable, the only supported scenario is failing over to a DR Cluster or Performance Replica. 6
- 13. Initialization Ceremony Copyright © 2018 HashiCorp ⁄⁄ !13
- 14. Operator The team or individuals charged with keeping Vault running. Traditionally the team that either works with Cloud account provisioning, SREs or Infrastructure team. Organisational roles Who does who? Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE 1 Consumer Anyone that needs a secret! 2 Infosec / Crypto Key handling, rotation. Review architecture and policies. 3 Audit Review logs and metrics 4 !14
- 15. Copyright © 2018 HashiCorp ⁄ Day Two: Operationalise and consume !15
- 16. Namespaces Copyright © 2018 HashiCorp ⁄⁄ !16 Not always the preferred choice Organisational maturity has weigh ins 1 2 Most friction-less approach From Vault silos to centralised capability
- 17. Secure introduction What do you trust? Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE !17 AUTHENTICATE IDENTITY Against Trusted Identity Providers Authentication Identity-Based Access/Backends Client Secrets Secrets Management/Backends
- 18. API Direct call to Vault Consuming secrets Copyright © 2018 HashiCorp ⁄⁄ USE CASE: INFRASTRUCTURE AS CODE 1 Templating Rendering secrets on configuration files 2 Environment Variables3 3rd Party Pass Through Use response wrapping! 4 !18
- 19. Transit Key Officers Copyright © 2018 HashiCorp ⁄⁄ !19 ## Crypto officers # Create key material, non deletable, non exportable in unencrypted fashion, only aes-256 or rsa-4096 path "/transit/keys" { capabilities = ["create", "update"] allowed_parameters = { "allow_plaintext_backup" = ["false"] "type" = ["aes256-gcm96", "rsa-4096"] "convergent_encryption" = [] "derived" = [] } } # List keys path "/transit/keys" { capabilities = ["list"] } # Rotate Key path “/transit/keys/foo/rotate" { capabilities = ["create"] }
- 20. Transit Consumers Copyright © 2018 HashiCorp ⁄⁄ !20 ## Consumers # Encrypt information path "/transit/encrypt/keyname" { capabilities = ["create"] } # Decrypt information path "/transit/decrypt/keyname" { capabilities = ["create"] } # Rewrap information path "/transit/rewrap/keyname" { capabilities = ["create"] }
- 21. Copyright © 2018 HashiCorp ⁄ Day N: Keep it running !21
- 22. Storage Key rotation Copyright © 2018 HashiCorp ⁄⁄ !22 $ vault operator rotate Key Term 3 Install Time 01 May 17 10:30 UTC
- 23. Master Key rotation Copyright © 2018 HashiCorp ⁄⁄ !23
- 24. DR Promotion Copyright © 2018 HashiCorp ⁄⁄ !24
- 25. Copyright © 2018 HashiCorp ⁄ Vault Adoption !25
- 26. The Whitepaper Copyright © 2018 HashiCorp ⁄⁄ !26 Two years of best practice in Vault deployment Reviewed by Engineering, Solutions Engineering, and Enterprise Architecture Available today on the HashiCorp website