manage distributed configuration and secrets with spring cloud and vault (spring i/o 2017)
TRANSCRIPT
MANAGE DISTRIBUTED CONFIGURATION AND SECRETSWITH SPRING CLOUD AND VAULT
Andreas Falk
Friday 19th May, 2017
1
AGENDA
3
4
TYPICAL SENSITIVE DATAPASSWORDS
DATABASE CREDENTIALS
OAUTH2 CLIENT SECRETS
ENCRYPTION KEYS
SENSITIVE USER DATA
CREDIT CARD NUMBERS6
APPLICATION PROPERTIESDATABASE ACCESS CREDENTIALS
spring.datasource.url=jdbc:postgresql://localhost/test spring.datasource.username=root spring.datasource.password=mysupersecretpassword
7
SPRING CLOUD CONFIG
https://cloud.spring.io/spring-cloud-con�g
8 . 1
SPRING CLOUD CONFIG
Externalized con�guration in a distributed system
HTTP, resource-based API
Supports property �le and YAML formats
Encrypt and decrypt property values
https://cloud.spring.io/spring-cloud-con�g
8 . 2
8 . 3
GRADLE DEPENDENCIESext { springCloudVersion = 'Dalston.RELEASE' }
dependencies { compile('org.springframework.cloud: spring-cloud-config-server') }
dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" }}
8 . 4
SPRING CLOUD CONFIG SERVERJUST ONE ADDITIONAL ANNOTATION
@EnableConfigServer @SpringBootApplication public class ConfigServerApplication {
public static void main(String[] args) { SpringApplication.run( ConfigServerApplication.class, args); }}
8 . 5
SPRING CLOUD CONFIG SERVERCONFIGURATION
spring.cloud.config.server.git.uri= https://github.com/andifalk/cloud-config-repository server.port=8888 security.basic.enabled=true security.user.name=admin security.user.password=secret
8 . 6
SPRING CLOUD CONFIGENCRYPTION AND DECRYPTION
https://cloud.spring.io/spring-cloud-static/Dalston.RELEASE/#_security
9 . 1
SPRING CLOUD CONFIG SERVERSYMMETRIC KEY CONFIGURATION
encrypt.key=MyVerySecureEncryptionKey
9 . 2
SPRING CLOUD CONFIG SERVERASYMMETRIC KEY CONFIGURATION
encrypt.key-store.location=classpath:configserver.jks encrypt.key-store.alias=configserver encrypt.key-store.password=secret encrypt.key-store.secret=secret
9 . 3
SPRING CLOUD CONFIG SERVERENCRYPTING DATA
$ curl -u admin:secret -d test http://localhost:8888/encrypt
AQAx/RH8tiJj9V43l4dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEo kE+BfZPm4A3vco3volhWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4 SZ1K/nkto4e6jH+5tktLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5Kfsq EFbFEUBm2wMyUSFB4/NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaU xVng+3dTsz9DQ9rhfWFllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76 K2RrP0m9KPesTZMtbUH2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA=
9 . 4
SPRING CLOUD CONFIG SERVERDECRYPTING DATA
$ curl localhost:8888/decrypt -u admin:secret -d AQAx/RH8tiJj9V43l4dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEokE+BfZPm4A3vco3vol hWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4SZ1K/nkto4e6jH+5tk tLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5KfsqEFbFEUBm2wMyUSFB4/ NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaUxVng+3dTsz9DQ9rhfW FllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76K2RrP0m9KPesTZMtbU H2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA=
test
9 . 5
SPRING CLOUD CONFIG SERVERENCRYPTED SENSITIVE PROPERTY VALUES
secretkey={cipher}AQBcFzU3gDVVdj0P2uX/60LzeFqQi8Bo2sCTOiiMSe+w Yq4f0smM8HES0TKesr8Nms+EqgV5t9Rld7PGALjVUAAfHjAf6WS1yYz3K+ NvXrgu8umjOyRDxfKBh5OH2jvYX+EiKv/JgwDeUg3TXnTnsheh3Mim0dSu fkojbBlWxO8HsfW5z1qG9tLSlHnWvtcpIGLdRAUwfcKw+/1SViuYxwi/p9 H+J/SOomr4hjjnCuaFITa0zfQc4XTLOrGxW64dhghDvCgu3BxMe0TRaBci Ugkqka4zgBmzge0kw7r82b84GELmDGpjDp7HRUB+cVHqzZXuQzQB9vCjq1 xI19e6ZQm62DkOxaqtafGxqw+VmyFl1+XYEs1k2lWkiUMVyJyiixI=
9 . 6
DEMO
9 . 7
VAULT
10 . 1
KEY MANAGEMENT
10 . 2
SECRET STORAGE
KEY REVOCATION
KEY ROLLING
AUDIT LOGS
https://www.vaultproject.io/
10 . 3
10 . 4
SECRET STORAGEENCRYPTION (AES CYPHER)
DYNAMIC SECRETS
ACCESS CONTROL POLICIES
LEASE TIME (AUTOMATIC REVOCATION)
10 . 5
AUDIT LOGSNOT ACTIVE BY DEFAULT
SENSITIVE DATA HASHED (HMAC-SHA256)
TARGETS: FILE, SYSLOG, SOCKET... ,"path":"secret/hello","data":null,"remote_address":"127.0.0.1" ,"wrap_ttl":0,"headers":{}},"response":{"secret":{"lease_id":""} ,"data":{"value":"hmac-sha256:213d0d2572fe27ffd0cd2d97cf009c2d0 2e97b5af3f81b9af41f593982ffae8c"}},"error":""}
10 . 6
AUTHENTICATIONTOKEN (DEFAULT)
APPID
APPROLE
TLS CLIENT CERTIFICATE
AWS, GITHUB, ...10 . 7
ROTATE, REPAIR,REPAVE
JUSTIN SMITH (PIVOTAL)
10 . 8
SECRET BACKENDSGETTING DYNAMIC CREDENTIALS (WITH LEASE TIME)
AWS
CONSUL
MONGODB
DATABASES (MYSQL, POSTGRESQL, CASSANDRA)
RABBITMQ, AND MANY MORE...
10 . 9
10 . 10
START VAULT SERVER
memory.conf
$ vault server -config=./memory.conf
storage "inmem" { } listener "tcp" { address = "127.0.0.1:8200" tls_disable = 1 } disable_mlock = true
10 . 11
10 . 12
INITIALIZE VAULT SERVER$ vault init -key-shares=5 -key-threshold=2
Unseal Key 1: v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0 Unseal Key 2: g1tV/d4vp7VVbOu93aHrHZt41xE5YtX7yYBsFMIXGHCf Unseal Key 3: rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Unseal Key 4: kDSWhVhz8ElKG6Rad51Hw9lv8i6bTHdEdE71vq3sHoE0 Unseal Key 5: 4KUY7CS+UBi5lxlwpCRY+sWXdPFDp68rX2F6bTxT0nHF Initial Root Token: 68a80410-e315-fc39-d1ad-9864e169a47f
Please securely distribute the above keys. When the vault is re-sealed, restarted, or stopped, you must provide at least 2 of these keys to unseal it again.
Vault does not store the master key. Without at least 2 keys, your vault will remain permanently sealed.
10 . 13
UNSEAL VAULT SERVER$ vault unseal v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0
Sealed: true Key Shares: 5 Key Threshold: 2 Unseal Progress: 1 Unseal Nonce: 3a7f80b8-9aa4-2338-8a0a-0295331962d7
$ vault unseal rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf Sealed: false Key Shares: 5 Key Threshold: 2 Unseal Progress: 0 Unseal Nonce:
10 . 14
AUTHENTICATE WITH VAULT SERVER$ vault auth 68a80410-e315-fc39-d1ad-9864e169a47f
Successfully authenticated! You are now logged in. token: 68a80410-e315-fc39-d1ad-9864e169a47f token_duration: 0 token_policies: [root]
10 . 15
WRITE AND READ SECRETS$ vault write secret/mysecret hello=world
Success! Data written to: secret/mysecret
$ vault read secret/mysecret
Key Value --- ----- refresh_interval 768h0m0s hello world
10 . 16
DEMO
10 . 17
SPRING CLOUD VAULT
https://cloud.spring.io/spring-cloud-vault
11 . 1
GRADLE DEPENDENCIESext { springCloudVersion = 'Dalston.RELEASE' }
dependencies { compile('org.springframework.cloud: spring-cloud-starter-vault-config') }
dependencyManagement { imports { mavenBom "org.springframework.cloud: spring-cloud-dependencies:${springCloudVersion}" }}
11 . 2
SECRET DATA MAPPINGBOOTSTRAP.PROPERTIES
MAPPED SECRET PATHS IN VAULT
spring.cloud.vault.generic.application-name = application1,additional/keys #spring.cloud.vault.application-name = ... #spring.application.name = ...
/secret/application1 /secret/application1/myprofile /secret/additional/keys /secret/application /secret/application/myprofile
11 . 3
DEMO
11 . 4
ROTATE DATABASE CREDENTIALSBOOTSTRAP.YML
spring.cloud.vault: postgresql: enabled: true role: readonly backend: postgresql username-property: spring.datasource.username password-property: spring.datasource.username
11 . 5
11 . 6
SPRING CLOUD CONFIG VAULTENVIRONMENT REPOSITORY
APPLICATION.PROPERTIES (CONFIG SERVER)
BOOTSTRAP.PROPERTIES (CLIENT)
spring.profiles.active=vault spring.cloud.config.server.vault.host=127.0.0.1 spring.cloud.config.server.vault.port=8200 spring.cloud.config.server.vault.scheme=https
spring.cloud.config.token = YourVaultToken
11 . 7
TARGET ACHIEVED?
12
REFERENCES
All images used are from and are published under
All used logos are trademarks of corresponding companies
Spring Cloud Con�g (https://cloud.spring.io/spring-cloud-con�g/)Spring Cloud Con�g Security (http://cloud.spring.io/spring-cloud-static/spring-cloud-con�g/1.3.0.RELEASE/#_security)Shamir's secret sharing algorithm (https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)Spring Cloud Vault (https://cloud.spring.io/spring-cloud-vault)Vault (https://www.vaultproject.io)Cloud Foundry Vault Service Broker (https://www.hashicorp.com/blog/cloud-foundry-vault-service-broker)Cloud Native Key Management — Justin Smith (https://www.youtube.com/watch?v=MvPIthr4kXA&t=1601s)Sources and Presentation (https://github.com/andifalk/distributed-secure-con�guration)
Pixabay Creative Commons CC0 license.
13
