Managing Secrets

by Gonçalo Valério / @dethos@s.ovalerio.net

What do I mean by secrets

  • Passwords
  • API keys
  • TLS certificates
  • Tokens

Why is this an important issue?

Lets focus on the things that are under the

responsibility of Dev and Ops teams

Common approaches

Place all the secrets in environment variables

  • Copy configuration files to all assets
  • Place all the secrets in the same file and encrypt it
  • Keep adding keys to the authorized_keys files on several machines

How should it be done?

Depends on the threat model

  • Secrets should never be in plain text, nor on transit or at rest.
  • Principle of the least privilege
  • Granular access control (defined by policy)
  • Easily allow to rotate the secrets
  • Every action must leave a trail
  • Have a "break glass" procedure

Recently there was a surge in this area

Lets take Vault

  • Stores your secrets encrypted
  • Key-rolling
  • Audit Logs
  • Leasing
  • Revocation
  • Multiple backends for dynamic secrets

Demo time

Sources and other extra information

You can reach me through:

Website: ovalerio.net

Email: gon@ovalerio.net

Mastodon: @dethos@s.ovalerio.net

Freenode: dethos

https://static.ovalerio.net/presentations/managing-secrets