SlideShare a Scribd company logo
Managing your Secrets in a
Cloud Environment
Taswar Bhatti
System/Solutions Architect at Gemalto (Canada)
Microsoft MVP
Is your personal data important?
Who am I
• Taswar Bhatti – Microsoft MVP since 2014
• Global Solutions Architect/System Architect at Gemalto
• In Software Industry since 2000
• I know Kung Fu (Languages)
Managing your secrets in a cloud environment
Good old days robbery
Today’s Robbery
Data breach……
Consequences
System with no Trust
Salesman
Data breach??
Delivery
Agenda
• Intro
• What are we trying to solve with KeyVault?
• What is Azure Key Vault
• Using Azure Key Vault with your application
• Managed Service Identity
• Demo
• HashiCorp Vault
• Best practices
• Questions
So what are secrets?
• Secrets grants you AuthN or AuthZ to a system
• Examples
• Username & Passwords
• Database credentials
• API Token
• TLS Certs
Typical Application
Storing Configuration in file
Multiple application
Secret Sprawl
• Secrets ends up in
• Source Code
• Version Control Systems (Github, Gitlab, Bitbucket etc)
• Configuration Management (Chef, Puppet, Ansible etc)
Managing your secrets in a cloud environment
Problems
• Configuration becomes part of deployment
• Multiple applications share the same configuration
• Hard to have access control over the configuration
Issues
• How do we know who has access to those secrets
• When was the last time they accessed it?
• What if we want to change/rotate the secrets
Desire secrets
• Encryption in rest and transit
• Only decrypted in memory
• Access control
• Rotation & Revocation
What is Azure Key Vault?
• Secrets Management - Azure Key Vault can be used to Securely store and
tightly control access to tokens, passwords, certificates, API keys, and other
secrets.
• Key Management - Azure Key Vault can also be used as a Key Management
solution. Azure Key Vault makes it easy to create and control the
encryption keys used to encrypt your data.
• Certificate Management - Azure Key Vault is also a service that lets you
easily provision, manage, and deploy public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and
your internal connected resources.
• Store secrets backed by Hardware Security Modules - The secrets and keys
can be protected either by software or FIPS 140-2 Level 2 validates HSMs.
Gemalto Luna HSM (New)
PKCS11 Interop
• Managed .NET wrapper for unmanaged PKCS#11 libraries
• https://pkcs11interop.net/
Typical Application
• In web.config
<connectionStrings>
<add name="SqlDataConnection" connectionString="data
source=whatever.windows.net;initial catalog=MyDb;persist security
info=True;user
id=sa;password=P@$$w0rd;MultipleActiveResultSets=True;" />
</connectionStrings>
With Key Vault
Managing your secrets in a cloud environment
Managing your secrets in a cloud environment
Managing your secrets in a cloud environment
Azure Key Vault
• Register your app with Active Directory
• Associated credential, and using that credential to get a token
• Retrieve your secrets from Key Vault
• PROBLEM SOLVED
Adding it back to web.config
• <add key="ClientId" value="clientid" />
• <add key="ClientSecret" value="clientsecret" />
• <!-- SecretUri is the URI for the secret in Azure Key Vault -->
• <add key="SecretUri" value="secreturi" />
Code that looks like this
ClientCredential clientCred = new ClientCredential(
WebConfigurationManager.AppSettings["ClientId"],
WebConfigurationManager.AppSettings["ClientSecret"]);
But????
• Confused??
• Isn’t that still in web.config?
Security doesn’t have to be like this
Managed Service Identity (MSI)
• MSI gives your code an automatically managed identity for
authenticating to Azure services, so that you can keep credentials out
of your code
• You create an identity for your application in Azure Active Directory
using Managed Service Identity
Benefits
• No need to authenticate to Azure Key Vault to get secrets
• No client id and client secret is needed in the code
• Easier to configure comparing to Azure Key Vault
• You can authenticate to any service that supports Azure AD
authentication
Demo
HSBC Hong Kong PayMe Hack
HashiCorp Vault
• Centralized Secret Management
• Encrypted at rest and transit
• Lease and Renewal
• ACL
• Audit Trail
• Multiple Client Auth Method (Ldap,Github, approle)
• Dynamic Secrets
• Encryption as a Service
Secure Secrets
• AES 256 with GCM encryption
• TLS 1.2 for clients
• No HSM is required
• One could also integrate with Azure Key Vault
Unsealing the Vault
• Vault requires encryption keys to encrypt data
• Shamir Secret Key Sharing
• Master key is split into multiple keys
Shamir Secret Sharing
Unseal
• Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC
• Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE
• Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
• Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815
• Vault initialized with 5 keys and a key threshold of 3. Please
• securely distribute the above keys. When the Vault is re-sealed,
• restarted, or stopped, you must provide at least 3 of these keys
• to unseal it again.
• Vault does not store the master key. Without at least 3 keys,
• your Vault will remain permanently sealed.
How to unseal
• vault unseal -address=${VAULT_ADDR}
QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B
• vault unseal -address=${VAULT_ADDR}
bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD
• vault unseal -address=${VAULT_ADDR}
Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
Writing Secrets
• vault write -address=${VAULT_ADDR} secret/hello value=world
• vault read -address=${VAULT_ADDR} secret/hello
• Key Value
• --- -----
• refresh_interval 768h0m0s
• Value world
Policy on secrets
• We can assign application roles to the policy
path "secret/web/*" {
policy = "read"
}
• vault policy write -address=${VAULT_ADDR}
web-policy ${DIR}/web-policy.hcl
Reading secrets based on policy
• vault read -address=${VAULT_ADDR} secret/web/web-apps
• vault read -address=${VAULT_ADDR} secret/hello
• Error reading secret/hello: Error making API request.
• URL: GET http://127.0.0.1:8200/v1/secret/hello
• Code: 403. Errors:
• * permission denied
Docker and Secrets
• Docker does not have good integration with secrets
• If you use env variables, it will show in docker inspect
Managing your secrets in a cloud environment
Mount Temp File System into App
• docker run –v /hostsecerts:/secerts ….
• To mitigate reading from Env
• Store your wrap token in the filesystem to use with vault
• Have limit time on wrap token
Wrap Token for App Secrets
• Limit time token
• Used to unwrap some secrets
• vault read -wrap-ttl=60s -address=http://127.0.0.1:8200
secret/weatherapp/config
• Key Value
• --- -----
• wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7
• wrapping_token_ttl: 1m0s
• wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC
• wrapping_token_creation_path: secret/weatherapp/config
Kubernetes with Vault
• Read Service Account JWT
• App Sends Jwt and Role Name to Vault
• Vault checks the signature of Jwt
• Sends to TokenReviewer API
• Vault sends back valid token for app
Token Reviewer in K8s
Best Practices or Patterns
• Cache Aside Encryption Key
• Tag version of encryption
Cache Aside Encryption Key
• Use Key Vault to Encrypt your Generated AES Key
• For all encryption of your data you can use the AES Key rather than
going back and Key Vault to encrypt
• Allows you to penny pinch KeyVault
Tag Version of Encryption Level
• Each Row of your database is tagged with the encryption version
• This allows you when you rotate keys or change encryption level for
example moving to a new Encryption Key to eventual encryption of
data that gets updated or new.
Managing your secrets in a cloud environment
New and Updated Data
Advantages
• You do not have to go through all the records to re-encrypt them
• Eventual Encryption of all data to new encryption
• Mitigates the risk of all data or updating all records
Questions?
• taswar@gmail.com
• @taswarbhatti
• http://taswar.zeytinsoft.com
Credits
• For the background
• www.Vecteezy.com

More Related Content

PPTX
Azure Key Vault - Getting Started
PPTX
Cloud Design Patterns - Hong Kong Codeaholics
PPTX
8 cloud design patterns you ought to know - Update Conference 2018
PPTX
Using Vault for your Nodejs Secrets
PPTX
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
PPTX
Azure key vault - Brisbane User Group
PDF
CSF18 - Securing the Cloud - Karim El-Melhaoui
PPTX
Securing sensitive data with Azure Key Vault
Azure Key Vault - Getting Started
Cloud Design Patterns - Hong Kong Codeaholics
8 cloud design patterns you ought to know - Update Conference 2018
Using Vault for your Nodejs Secrets
Azure Low Lands 2019 - Building secure cloud applications with Azure Key Vault
Azure key vault - Brisbane User Group
CSF18 - Securing the Cloud - Karim El-Melhaoui
Securing sensitive data with Azure Key Vault

What's hot (19)

PPTX
Azure key vault
PPTX
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
PPTX
Windows Azure Security Features And Functionality
PPTX
ECS and Docker at Okta
PPTX
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
PPTX
Protecting Your Data with Encryption
PPTX
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
PPTX
Secret Management Architectures
PDF
Overview of secret management solutions and architecture
PDF
Sullivan heartbleed-defcon22 2014
PDF
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
PDF
Paris FOD meetup - kafka security 101
PDF
Application Security - 28 Nov 2018
PDF
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
PPTX
Global Azure Bootcamp 2017 - Azure Key Vault
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
PPTX
Understanding SQL Server 2016 Always Encrypted
PPTX
Secret Management with Hashicorp Vault and Consul on Kubernetes
PDF
MongoDB World 2018: Enterprise Security in the Cloud
Azure key vault
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Windows Azure Security Features And Functionality
ECS and Docker at Okta
ITProceed 2015 - Securing Sensitive Data with Azure Key Vault
Protecting Your Data with Encryption
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Secret Management Architectures
Overview of secret management solutions and architecture
Sullivan heartbleed-defcon22 2014
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
Paris FOD meetup - kafka security 101
Application Security - 28 Nov 2018
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
Global Azure Bootcamp 2017 - Azure Key Vault
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Understanding SQL Server 2016 Always Encrypted
Secret Management with Hashicorp Vault and Consul on Kubernetes
MongoDB World 2018: Enterprise Security in the Cloud
Ad

Similar to Managing your secrets in a cloud environment (20)

PPTX
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
PPTX
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
PPTX
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
PPTX
Nodejsvault austin2019
PPTX
Secure your Config with Key Vault for .NET Core API
PPTX
Azure Key Vault
PDF
Application Security - Key Vault
PDF
Azure Meetup: Keep your secrets and configurations safe in azure!
PDF
Secretsth-Azure-KeyVault-and-Azure-App.pdf
PDF
Secretsth-Azure-KeyVault-and-Azure-App.pdf
PDF
Dynamic Azure Credentials for Applications and CI/CD Pipelines
PPTX
Secure your Config with Key Vault for Node.JS
PPTX
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
PDF
Vault and Security as a Service
PDF
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
PDF
HashiCorp Vault Workshop:幫 Credentials 找個窩
PDF
Henry Been - Secure development: keeping your application secrets private
PPTX
Secure deployments keeping your application secrets private -duug fest
PPTX
AzureSecurity - Day3 - Storage And Key Vault
PDF
Vault
Intelligent Cloud Conference 2018 - Building secure cloud applications with A...
Securing Sensitive Data with Azure Key Vault (Tom Kerkhove @ ITProceed)
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Nodejsvault austin2019
Secure your Config with Key Vault for .NET Core API
Azure Key Vault
Application Security - Key Vault
Azure Meetup: Keep your secrets and configurations safe in azure!
Secretsth-Azure-KeyVault-and-Azure-App.pdf
Secretsth-Azure-KeyVault-and-Azure-App.pdf
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Secure your Config with Key Vault for Node.JS
Azure Key Vault with a PaaS Architecture and ARM Template Deployment
Vault and Security as a Service
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
HashiCorp Vault Workshop:幫 Credentials 找個窩
Henry Been - Secure development: keeping your application secrets private
Secure deployments keeping your application secrets private -duug fest
AzureSecurity - Day3 - Storage And Key Vault
Vault
Ad

More from Taswar Bhatti (14)

PPTX
Get productive with python Visual Studio 2019
PPTX
Cloud patterns forwardjs April Ottawa 2019
PPTX
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
PPTX
Intro elasticsearch taswarbhatti
PPTX
Cloud patterns at Carleton University
PPTX
Cloud Design Patterns
PPTX
Devteach 2017 OAuth and Open id connect demystified
PPTX
Devteach 2017 Store 2 million of audit a day into elasticsearch
PPTX
An introduction to Microsoft Bot Framework
PPTX
Dev days 1 Introduction to Xamarin Taswar Bhatti
PPTX
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
PPTX
Docker for .NET Developers
PPTX
Docker for .NET Developers
PPTX
Akka.Net Ottawa .NET User Group Meetup
Get productive with python Visual Studio 2019
Cloud patterns forwardjs April Ottawa 2019
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Intro elasticsearch taswarbhatti
Cloud patterns at Carleton University
Cloud Design Patterns
Devteach 2017 OAuth and Open id connect demystified
Devteach 2017 Store 2 million of audit a day into elasticsearch
An introduction to Microsoft Bot Framework
Dev days 1 Introduction to Xamarin Taswar Bhatti
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Docker for .NET Developers
Docker for .NET Developers
Akka.Net Ottawa .NET User Group Meetup

Recently uploaded (20)

PDF
System and Network Administration Chapter 2
PPT
JAVA ppt tutorial basics to learn java programming
DOCX
The Five Best AI Cover Tools in 2025.docx
PPTX
Operating system designcfffgfgggggggvggggggggg
PPT
Introduction Database Management System for Course Database
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
PDF
Design an Analysis of Algorithms I-SECS-1021-03
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
PPTX
Odoo POS Development Services by CandidRoot Solutions
PDF
medical staffing services at VALiNTRY
PDF
PTS Company Brochure 2025 (1).pdf.......
PDF
Softaken Excel to vCard Converter Software.pdf
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
PPTX
Essential Infomation Tech presentation.pptx
PPTX
L1 - Introduction to python Backend.pptx
PPTX
Online Work Permit System for Fast Permit Processing
PPTX
Transform Your Business with a Software ERP System
System and Network Administration Chapter 2
JAVA ppt tutorial basics to learn java programming
The Five Best AI Cover Tools in 2025.docx
Operating system designcfffgfgggggggvggggggggg
Introduction Database Management System for Course Database
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
Design an Analysis of Algorithms I-SECS-1021-03
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
Internet Downloader Manager (IDM) Crack 6.42 Build 41
Odoo POS Development Services by CandidRoot Solutions
medical staffing services at VALiNTRY
PTS Company Brochure 2025 (1).pdf.......
Softaken Excel to vCard Converter Software.pdf
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
Essential Infomation Tech presentation.pptx
L1 - Introduction to python Backend.pptx
Online Work Permit System for Fast Permit Processing
Transform Your Business with a Software ERP System

Managing your secrets in a cloud environment

  • 1. Managing your Secrets in a Cloud Environment Taswar Bhatti System/Solutions Architect at Gemalto (Canada) Microsoft MVP
  • 2. Is your personal data important?
  • 3. Who am I • Taswar Bhatti – Microsoft MVP since 2014 • Global Solutions Architect/System Architect at Gemalto • In Software Industry since 2000 • I know Kung Fu (Languages)
  • 5. Good old days robbery
  • 13. Agenda • Intro • What are we trying to solve with KeyVault? • What is Azure Key Vault • Using Azure Key Vault with your application • Managed Service Identity • Demo • HashiCorp Vault • Best practices • Questions
  • 14. So what are secrets? • Secrets grants you AuthN or AuthZ to a system • Examples • Username & Passwords • Database credentials • API Token • TLS Certs
  • 18. Secret Sprawl • Secrets ends up in • Source Code • Version Control Systems (Github, Gitlab, Bitbucket etc) • Configuration Management (Chef, Puppet, Ansible etc)
  • 20. Problems • Configuration becomes part of deployment • Multiple applications share the same configuration • Hard to have access control over the configuration
  • 21. Issues • How do we know who has access to those secrets • When was the last time they accessed it? • What if we want to change/rotate the secrets
  • 22. Desire secrets • Encryption in rest and transit • Only decrypted in memory • Access control • Rotation & Revocation
  • 23. What is Azure Key Vault? • Secrets Management - Azure Key Vault can be used to Securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets. • Key Management - Azure Key Vault can also be used as a Key Management solution. Azure Key Vault makes it easy to create and control the encryption keys used to encrypt your data. • Certificate Management - Azure Key Vault is also a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with Azure and your internal connected resources. • Store secrets backed by Hardware Security Modules - The secrets and keys can be protected either by software or FIPS 140-2 Level 2 validates HSMs.
  • 25. PKCS11 Interop • Managed .NET wrapper for unmanaged PKCS#11 libraries • https://pkcs11interop.net/
  • 26. Typical Application • In web.config <connectionStrings> <add name="SqlDataConnection" connectionString="data source=whatever.windows.net;initial catalog=MyDb;persist security info=True;user id=sa;password=P@$$w0rd;MultipleActiveResultSets=True;" /> </connectionStrings>
  • 31. Azure Key Vault • Register your app with Active Directory • Associated credential, and using that credential to get a token • Retrieve your secrets from Key Vault • PROBLEM SOLVED
  • 32. Adding it back to web.config • <add key="ClientId" value="clientid" /> • <add key="ClientSecret" value="clientsecret" /> • <!-- SecretUri is the URI for the secret in Azure Key Vault --> • <add key="SecretUri" value="secreturi" />
  • 33. Code that looks like this ClientCredential clientCred = new ClientCredential( WebConfigurationManager.AppSettings["ClientId"], WebConfigurationManager.AppSettings["ClientSecret"]);
  • 34. But???? • Confused?? • Isn’t that still in web.config?
  • 35. Security doesn’t have to be like this
  • 36. Managed Service Identity (MSI) • MSI gives your code an automatically managed identity for authenticating to Azure services, so that you can keep credentials out of your code • You create an identity for your application in Azure Active Directory using Managed Service Identity
  • 37. Benefits • No need to authenticate to Azure Key Vault to get secrets • No client id and client secret is needed in the code • Easier to configure comparing to Azure Key Vault • You can authenticate to any service that supports Azure AD authentication
  • 38. Demo
  • 39. HSBC Hong Kong PayMe Hack
  • 40. HashiCorp Vault • Centralized Secret Management • Encrypted at rest and transit • Lease and Renewal • ACL • Audit Trail • Multiple Client Auth Method (Ldap,Github, approle) • Dynamic Secrets • Encryption as a Service
  • 41. Secure Secrets • AES 256 with GCM encryption • TLS 1.2 for clients • No HSM is required • One could also integrate with Azure Key Vault
  • 42. Unsealing the Vault • Vault requires encryption keys to encrypt data • Shamir Secret Key Sharing • Master key is split into multiple keys
  • 44. Unseal • Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC • Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE • Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF • Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815 • Vault initialized with 5 keys and a key threshold of 3. Please • securely distribute the above keys. When the Vault is re-sealed, • restarted, or stopped, you must provide at least 3 of these keys • to unseal it again. • Vault does not store the master key. Without at least 3 keys, • your Vault will remain permanently sealed.
  • 45. How to unseal • vault unseal -address=${VAULT_ADDR} QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • vault unseal -address=${VAULT_ADDR} bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • vault unseal -address=${VAULT_ADDR} Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
  • 46. Writing Secrets • vault write -address=${VAULT_ADDR} secret/hello value=world • vault read -address=${VAULT_ADDR} secret/hello • Key Value • --- ----- • refresh_interval 768h0m0s • Value world
  • 47. Policy on secrets • We can assign application roles to the policy path "secret/web/*" { policy = "read" } • vault policy write -address=${VAULT_ADDR} web-policy ${DIR}/web-policy.hcl
  • 48. Reading secrets based on policy • vault read -address=${VAULT_ADDR} secret/web/web-apps • vault read -address=${VAULT_ADDR} secret/hello • Error reading secret/hello: Error making API request. • URL: GET http://127.0.0.1:8200/v1/secret/hello • Code: 403. Errors: • * permission denied
  • 49. Docker and Secrets • Docker does not have good integration with secrets • If you use env variables, it will show in docker inspect
  • 51. Mount Temp File System into App • docker run –v /hostsecerts:/secerts …. • To mitigate reading from Env • Store your wrap token in the filesystem to use with vault • Have limit time on wrap token
  • 52. Wrap Token for App Secrets • Limit time token • Used to unwrap some secrets • vault read -wrap-ttl=60s -address=http://127.0.0.1:8200 secret/weatherapp/config • Key Value • --- ----- • wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7 • wrapping_token_ttl: 1m0s • wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC • wrapping_token_creation_path: secret/weatherapp/config
  • 53. Kubernetes with Vault • Read Service Account JWT • App Sends Jwt and Role Name to Vault • Vault checks the signature of Jwt • Sends to TokenReviewer API • Vault sends back valid token for app
  • 55. Best Practices or Patterns • Cache Aside Encryption Key • Tag version of encryption
  • 56. Cache Aside Encryption Key • Use Key Vault to Encrypt your Generated AES Key • For all encryption of your data you can use the AES Key rather than going back and Key Vault to encrypt • Allows you to penny pinch KeyVault
  • 57. Tag Version of Encryption Level • Each Row of your database is tagged with the encryption version • This allows you when you rotate keys or change encryption level for example moving to a new Encryption Key to eventual encryption of data that gets updated or new.
  • 60. Advantages • You do not have to go through all the records to re-encrypt them • Eventual Encryption of all data to new encryption • Mitigates the risk of all data or updating all records
  • 61. Questions? • taswar@gmail.com • @taswarbhatti • http://taswar.zeytinsoft.com
  • 62. Credits • For the background • www.Vecteezy.com

Editor's Notes

  • #40: US$12,770 users had an option to change their phone numbers while logging in, which would enable them to bypass entering a pin and instead use their email address. When PayMe was prompted to allow a phone number change, a link was then emailed to users, which opened a channel that would also allow a password change.