Vaunting Vault!

Lansing DevOps Meetup
September 6th, 2016

Brendon Thiede

    Development Manager at Vertafore

    Focused on Automation

    Supporting CI for WordPress sites

What Secrets are we Keeping?

• Human accessible
  • WiFi password
  • Test account credentials
• Application/system accessible
  • Test account credentials
  • Various service credentials (DB, LDAP, etc.)

Where are we Keeping Secrets?

• KeePass on Dropbox
• Encrypted databags
• Text files
• Hard coded in app code ( ಠ_ಠ )

What are Threats to Secrets?

• External
  • SFTP server hacked
  • User account compromised
• Internal
  • Rogue employee

What is Vault?

• Unified secrets storage/retrieval using REST
• Protection from external threats
• Protection from internal threats
• Auditing

Unified Secrets Solution

• One place for all the things!

Protection from External Threats

• Modern encryption
• Dynamic secrets
• Encryption as a Service
• Leasing and renewal

Protection from Internal Threats

• Shamir's secret sharing
• "Break glass" procedure
• Single point revocation
• ACLs for fine grained control
• Multiple authentication methods (internal, LDAP, GitHub, etc.)

Auditing

• Everything is logged (with sha)
• Logs can be shipped for analysis

Concepts for Discussion

• Backends
• Path structure