SlideShare una empresa de Scribd logo

Vault 1.0: How to Auto-Unseal and Other New Features

Mitchell Pronschinske
Mitchell Pronschinske

HashiCorp Vault 1.0 is the culmination of a journey that brings broad ecosystem integration, feature completeness, and enterprise readiness to the popular secrets management tool. Learn how to use new features like Auto Unseal and Batch Tokens.

Software
1 de 22
Descargar para leer sin conexión
Copyright © 2018 HashiCorp Vault 1.0 - New Features Calvin Leung Huang - Software Engineer
s Copyright © 2018 HashiCorp !2 Introduction
Copyright © 2018 HashiCorp ▪Auto-unseal
 ▪Seal migration
 ▪Batch tokens Agenda !3
s Copyright © 2018 HashiCorp !4 Auto-unseal
Copyright © 2018 HashiCorp Shamir Secret Sharing ▪ Protect master key ▪ Split Master Keys in to K shares
 ▪ Unsealing requires T keys to meet unseal threshold ▪ Default: K=5 T=3 ▪ Requires human intervention for unseal on Vault startup !5 Key Shares Master Key Encryption Key
Copyright © 2018 HashiCorp ▪ Initial release on enterprise for use with HSM modules ▪ Keys protected by an external mechanism ▪ No human intervention required
 
 Auto-unseal !6
Copyright © 2018 HashiCorp Auto-unseal: HSM ▪ HSM Modules ▪ PKCS11 API to encrypt/decrypt the master key ▪ Multiple encryption mechanisms supported – AES_CBC_PAD – AES_CBC – AES_GCM – RSA_PKCS_OAEP – RSA_PKCS !7 Key Shares Master KeyEncryption Key
Copyright © 2018 HashiCorp Auto-unseal: Cloud KMS Providers ▪ AWS KMS ▪ GCP Cloud KMS ▪ Azure Key Vault ▪ AliCloud KMS !8 Key Shares Master Key Encryption Key
Copyright © 2018 HashiCorp ▪ Unseal keys not returned to the operator ▪ Recovery key shares returned instead ▪ Recovery keys are used for the following operations – Trigger an auto-unseal – Rekey – Root token generation Auto-unseal vs Shamir !9
s Copyright © 2018 HashiCorp !10 Demo
s Copyright © 2018 HashiCorp !11 Seal migration
Copyright © 2018 HashiCorp ▪ Supports existing installations using Shamir ▪ Migration from Shamir to Auto-unseal ▪ Migration from Auto-unseal to Shamir ▪ Currently, only supported only in OSS due to: – Sealwrap – Replication Seal migration !12
s Copyright © 2018 HashiCorp !13 Demo
s Copyright © 2018 HashiCorp !14 Batch Tokens
Copyright © 2018 HashiCorp ▪ Authentication via auth methods to obtain a Vault token ▪ This applied to all service types, including those in microservice- oriented and FaaS architectures ▪ As more users and services talk to Vault, overhead of token creation becomes a problem ▪ Put a lot of pressure on Vault’s storage backend Authentication !15
Copyright © 2018 HashiCorp ▪ Token creation: – 1 primary index, 1 parent index, 1 accessor index, 1 lease write – 4 WAL (write-ahead-log) writes
 ▪ Token revocation: – 4 deletes – 4 WAL additional writes – 8 WAL deletes
 ▪ Minimum 12 writes and 12 deletes per token Lifecycle of a Token !16
Copyright © 2018 HashiCorp ▪ Token info is encrypted – Think of it as a JWT, but encrypted instead of signed
 ▪ Meant for batch jobs, single purpose, single use scenarios
 ▪ Not held in storage or in memory ▪ Different guarantees around lifetime and persistence Batch Tokens !17
Copyright © 2018 HashiCorp Service Tokens vs Batch Tokens !18 Service Tokens Batch Tokens Can Be Root Tokens Yes No Can Create Child Tokens Yes No Can be Renewable Yes No Can be Periodic Yes No Can have Explicit Max TTL Yes No (always uses a fixed TTL) Has Accessors Yes No Has Cubbyhole Yes No Revoked with Parent (if not orphan) Yes Stops Working Dynamic Secrets Lease Assignment Self Parent (if not orphan) Can be Used Across Performance Replication Clusters No Yes (if orphan) Creation Scales with Performance Standby Node Count No Yes Cost Heavyweight; multiple storage writes per token creation Lightweight; no storage cost for token creation
Copyright © 2018 HashiCorp ▪ Most tokens will not have children, unneeded parent entry
 ▪ Explicit revocation unnecessary since it can be trigger by TTL ▪ Mechanisms to (indirectly) revoke leases still exists – Via lease ID – Via parent token revocation Acceptable Trade-offs !19
s Copyright © 2018 HashiCorp !20 Demo
Copyright © 2018 HashiCorp ▪ GCP KMS Secrets Engine ▪ OpenAPI Support ▪ Vault Agent Auto-auth via AppRole ▪ Kubernetes Projected Service Account Tokens ▪ UI: Response Wrapping ▪ Many more improvements! Additional Features !21
Thank you. hello@hashicorp.comwww.hashicorp.com

Recomendados

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...Amazon Web Services Korea
 
Building an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultBuilding an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultJeff Ploughman
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL SecurityShiu-Fun Poon
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축
AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축
AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축Amazon Web Services Korea
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 

Recomendados

Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018HashiCorp
 
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...
AWS Fault Injection Simulator를 통한 실전 카오스 엔지니어링 - 윤석찬 AWS 수석 테크에반젤리스트 / 김신 SW엔...Amazon Web Services Korea
 
Building an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultBuilding an Ethereum Wallet using Hashicorp Vault
Building an Ethereum Wallet using Hashicorp VaultJeff Ploughman
 
Encoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresEncoded Attacks And Countermeasures
Encoded Attacks And CountermeasuresMarco Morana
 
GraphQL Security
GraphQL SecurityGraphQL Security
GraphQL SecurityShiu-Fun Poon
 
AWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineAWS CodeCommit, CodeDeploy & CodePipeline
AWS CodeCommit, CodeDeploy & CodePipelineJulien SIMON
 
AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축
AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축
AWS Summit Seoul 2023 | Global scale service의 중앙 집중식 Observability 구축Amazon Web Services Korea
 
What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018What the Heck is OAuth and OpenID Connect - DOSUG 2018
What the Heck is OAuth and OpenID Connect - DOSUG 2018Matt Raible
 
JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web TokensIvan Rosolen
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie DemoAmazon Web Services
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
 
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...Amazon Web Services
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019Amazon Web Services Korea
 
AWS CodeDeploy
AWS CodeDeployAWS CodeDeploy
AWS CodeDeployTO THE NEW | Technology
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmVittorio Giovara
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Boyer–Moore string search algorithm
Boyer–Moore string search algorithmBoyer–Moore string search algorithm
Boyer–Moore string search algorithmHamid Shekarforoush
 
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...Amazon Web Services
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applicationsJose Manuel Ortega Candel
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security HeadersIsmael Goncalves
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
AWS VPN Solutions (NET304) - AWS re:Invent 2018
AWS VPN Solutions (NET304) - AWS re:Invent 2018AWS VPN Solutions (NET304) - AWS re:Invent 2018
AWS VPN Solutions (NET304) - AWS re:Invent 2018Amazon Web Services
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 
Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp VaultNicolas Corrarello
 
Vault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 featuresVault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 featuresMitchell Pronschinske
 

Más contenido relacionado

La actualidad más candente

HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
 
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...Amazon Web Services
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019Amazon Web Services Korea
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmVittorio Giovara
 
Spring Security
Spring SecuritySpring Security
Spring SecurityBoy Tech
 
Boyer–Moore string search algorithm
Boyer–Moore string search algorithmBoyer–Moore string search algorithm
Boyer–Moore string search algorithmHamid Shekarforoush
 
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...Amazon Web Services
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSAmazon Web Services
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples42Crunch
 
AWS VPN Solutions (NET304) - AWS re:Invent 2018
AWS VPN Solutions (NET304) - AWS re:Invent 2018AWS VPN Solutions (NET304) - AWS re:Invent 2018
AWS VPN Solutions (NET304) - AWS re:Invent 2018Amazon Web Services
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing ReportAman Srivastava
 

La actualidad más candente (20)

JSON Web Tokens
JSON Web TokensJSON Web Tokens
JSON Web Tokens
 
Amazon Macie Demo
Amazon Macie DemoAmazon Macie Demo
Amazon Macie Demo
 
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
 
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
[REPEAT 1] Elastic Load Balancing: Deep Dive and Best Practices (NET404-R1) -...
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang Bhatnagar
 
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019
워크로드에 맞는 데이터베이스 찾기 - 박주연 솔루션즈 아키텍트, AWS :: AWS Summit Seoul 2019
 
AWS CodeDeploy
AWS CodeDeployAWS CodeDeploy
AWS CodeDeploy
 
Authenticated Encryption Gcm Ccm
Authenticated Encryption Gcm CcmAuthenticated Encryption Gcm Ccm
Authenticated Encryption Gcm Ccm
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
Boyer–Moore string search algorithm
Boyer–Moore string search algorithmBoyer–Moore string search algorithm
Boyer–Moore string search algorithm
 
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...
Automating Management of Amazon EC2 Instances with Auto Scaling - March 2017 ...
 
Security testing in mobile applications
Security testing in mobile applicationsSecurity testing in mobile applications
Security testing in mobile applications
 
HTTP Security Headers
HTTP Security HeadersHTTP Security Headers
HTTP Security Headers
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
K8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKSK8s on AWS - Introducing Amazon EKS
K8s on AWS - Introducing Amazon EKS
 
OWASP API Security Top 10 Examples
OWASP API Security Top 10 ExamplesOWASP API Security Top 10 Examples
OWASP API Security Top 10 Examples
 
AWS VPN Solutions (NET304) - AWS re:Invent 2018
AWS VPN Solutions (NET304) - AWS re:Invent 2018AWS VPN Solutions (NET304) - AWS re:Invent 2018
AWS VPN Solutions (NET304) - AWS re:Invent 2018
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sites
 
Penetration Testing Report
Penetration Testing ReportPenetration Testing Report
Penetration Testing Report
 

Similar a Vault 1.0: How to Auto-Unseal and Other New Features

Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefAmanda MacLeod
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Bas Meijer
 
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Lee Myring
 
Dynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp VaultDynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp VaultKatie Reese
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
 
Token Authentication in ASP.NET Core--Stormpath Webinar
Token Authentication in ASP.NET Core--Stormpath WebinarToken Authentication in ASP.NET Core--Stormpath Webinar
Token Authentication in ASP.NET Core--Stormpath WebinarRemy Champion
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreStormpath
 
How Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens WorkHow Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens WorkRohit Jacob Mathew
 
What Video Games and BotCoin Did To The World Of Security... On Accident
What Video Games and BotCoin Did To The World Of Security... On AccidentWhat Video Games and BotCoin Did To The World Of Security... On Accident
What Video Games and BotCoin Did To The World Of Security... On AccidentBen Finke
 
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Cisco DevNet
 
Using heka
Using hekaUsing heka
Using hekaExotel
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLMasahiko Sawada
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
 

Similar a Vault 1.0: How to Auto-Unseal and Other New Features (20)

Adopting HashiCorp Vault
Adopting HashiCorp VaultAdopting HashiCorp Vault
Adopting HashiCorp Vault
 
Vault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 featuresVault Agent and Vault 0.11 features
Vault Agent and Vault 0.11 features
 
Delivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and ChefDelivering Secret Zero: Vault AppRole with Terraform and Chef
Delivering Secret Zero: Vault AppRole with Terraform and Chef
 
Iam r31 a (2)
Iam r31 a (2)Iam r31 a (2)
Iam r31 a (2)
 
Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
 
Stu r33 b (2)
Stu r33 b (2)Stu r33 b (2)
Stu r33 b (2)
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
Log aggregation: using Elasticsearch, Fluentd/Fluentbit and Kibana (EFK)
 
How to scale MongoDB
How to scale MongoDBHow to scale MongoDB
How to scale MongoDB
 
Dynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp VaultDynamic Database Credentials with HashiCorp Vault
Dynamic Database Credentials with HashiCorp Vault
 
Spectre coin
Spectre coinSpectre coin
Spectre coin
 
No locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructureNo locked doors, no windows barred: hacking OpenAM infrastructure
No locked doors, no windows barred: hacking OpenAM infrastructure
 
Token Authentication in ASP.NET Core--Stormpath Webinar
Token Authentication in ASP.NET Core--Stormpath WebinarToken Authentication in ASP.NET Core--Stormpath Webinar
Token Authentication in ASP.NET Core--Stormpath Webinar
 
Token Authentication in ASP.NET Core
Token Authentication in ASP.NET CoreToken Authentication in ASP.NET Core
Token Authentication in ASP.NET Core
 
How Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens WorkHow Does Signing & Validating a JSON Web Tokens Work
How Does Signing & Validating a JSON Web Tokens Work
 
What Video Games and BotCoin Did To The World Of Security... On Accident
What Video Games and BotCoin Did To The World Of Security... On AccidentWhat Video Games and BotCoin Did To The World Of Security... On Accident
What Video Games and BotCoin Did To The World Of Security... On Accident
 
Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?Meeting rooms are talking! are you listening?
Meeting rooms are talking! are you listening?
 
Using heka
Using hekaUsing heka
Using heka
 
Transparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQLTransparent Data Encryption in PostgreSQL
Transparent Data Encryption in PostgreSQL
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 

Más de Mitchell Pronschinske

Getting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulGetting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulMitchell Pronschinske
 
Multi-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul ConnectMulti-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul ConnectMitchell Pronschinske
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesMitchell Pronschinske
 
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on AzureMigrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on AzureMitchell Pronschinske
 
Empowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorpEmpowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorpMitchell Pronschinske
 
Automate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corpAutomate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corpMitchell Pronschinske
 
Using new sentinel features in terraform cloud
Using new sentinel features in terraform cloudUsing new sentinel features in terraform cloud
Using new sentinel features in terraform cloudMitchell Pronschinske
 
Military Edge Computing with Vault and Consul
Military Edge Computing with Vault and ConsulMilitary Edge Computing with Vault and Consul
Military Edge Computing with Vault and ConsulMitchell Pronschinske
 
Unlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub ActionsUnlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub ActionsMitchell Pronschinske
 
Vault 1.4 integrated storage overview
Vault 1.4 integrated storage overviewVault 1.4 integrated storage overview
Vault 1.4 integrated storage overviewMitchell Pronschinske
 
Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)Mitchell Pronschinske
 
Governance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad ClusterGovernance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad ClusterMitchell Pronschinske
 
Unlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: DeploymentUnlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: DeploymentMitchell Pronschinske
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultMitchell Pronschinske
 
Modern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with NomadModern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with NomadMitchell Pronschinske
 
Moving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on AzureMoving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on AzureMitchell Pronschinske
 

Más de Mitchell Pronschinske (20)

Getting Started with Kubernetes and Consul
Getting Started with Kubernetes and ConsulGetting Started with Kubernetes and Consul
Getting Started with Kubernetes and Consul
 
Multi-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul ConnectMulti-Cloud with Nomad and Consul Connect
Multi-Cloud with Nomad and Consul Connect
 
Code quality for Terraform
Code quality for TerraformCode quality for Terraform
Code quality for Terraform
 
Dynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD PipelinesDynamic Azure Credentials for Applications and CI/CD Pipelines
Dynamic Azure Credentials for Applications and CI/CD Pipelines
 
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on AzureMigrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
Migrating from VMs to Kubernetes using HashiCorp Consul Service on Azure
 
Empowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorpEmpowering developers and operators through Gitlab and HashiCorp
Empowering developers and operators through Gitlab and HashiCorp
 
Automate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corpAutomate and simplify multi cloud complexity with f5 and hashi corp
Automate and simplify multi cloud complexity with f5 and hashi corp
 
Vault 1.5 Overview
Vault 1.5 OverviewVault 1.5 Overview
Vault 1.5 Overview
 
Using new sentinel features in terraform cloud
Using new sentinel features in terraform cloudUsing new sentinel features in terraform cloud
Using new sentinel features in terraform cloud
 
Military Edge Computing with Vault and Consul
Military Edge Computing with Vault and ConsulMilitary Edge Computing with Vault and Consul
Military Edge Computing with Vault and Consul
 
Unlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub ActionsUnlocking the Cloud operating model with GitHub Actions
Unlocking the Cloud operating model with GitHub Actions
 
Vault 1.4 integrated storage overview
Vault 1.4 integrated storage overviewVault 1.4 integrated storage overview
Vault 1.4 integrated storage overview
 
Unlocking the Cloud Operating Model
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
 
Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)Cisco ACI with HashiCorp Terraform (APAC)
Cisco ACI with HashiCorp Terraform (APAC)
 
Governance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad ClusterGovernance for Multiple Teams Sharing a Nomad Cluster
Governance for Multiple Teams Sharing a Nomad Cluster
 
Integrating Terraform and Consul
Integrating Terraform and ConsulIntegrating Terraform and Consul
Integrating Terraform and Consul
 
Unlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: DeploymentUnlocking the Cloud Operating Model: Deployment
Unlocking the Cloud Operating Model: Deployment
 
Keeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp VaultKeeping a Secret with HashiCorp Vault
Keeping a Secret with HashiCorp Vault
 
Modern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with NomadModern Scheduling for Modern Applications with Nomad
Modern Scheduling for Modern Applications with Nomad
 
Moving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on AzureMoving to a Microservice World: Leveraging Consul on Azure
Moving to a Microservice World: Leveraging Consul on Azure
 

Último

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsAlberto González Trastoy
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...harshavardhanraghave
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerThousandEyes
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxComplianceQuest1
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...Health
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 

Último (20)

call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time ApplicationsUnveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
Unveiling the Tech Salsa of LAMs with Janus in Real-Time Applications
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected WorkerHow To Troubleshoot Collaboration Apps for the Modern Connected Worker
How To Troubleshoot Collaboration Apps for the Modern Connected Worker
 
A Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docxA Secure and Reliable Document Management System is Essential.docx
A Secure and Reliable Document Management System is Essential.docx
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 

Vault 1.0: How to Auto-Unseal and Other New Features

  • 1. Copyright © 2018 HashiCorp Vault 1.0 - New Features Calvin Leung Huang - Software Engineer
  • 2. s Copyright © 2018 HashiCorp !2 Introduction
  • 3. Copyright © 2018 HashiCorp ▪Auto-unseal
 ▪Seal migration
 ▪Batch tokens Agenda !3
  • 4. s Copyright © 2018 HashiCorp !4 Auto-unseal
  • 5. Copyright © 2018 HashiCorp Shamir Secret Sharing ▪ Protect master key ▪ Split Master Keys in to K shares
 ▪ Unsealing requires T keys to meet unseal threshold ▪ Default: K=5 T=3 ▪ Requires human intervention for unseal on Vault startup !5 Key Shares Master Key Encryption Key
  • 6. Copyright © 2018 HashiCorp ▪ Initial release on enterprise for use with HSM modules ▪ Keys protected by an external mechanism ▪ No human intervention required
 
 Auto-unseal !6
  • 7. Copyright © 2018 HashiCorp Auto-unseal: HSM ▪ HSM Modules ▪ PKCS11 API to encrypt/decrypt the master key ▪ Multiple encryption mechanisms supported – AES_CBC_PAD – AES_CBC – AES_GCM – RSA_PKCS_OAEP – RSA_PKCS !7 Key Shares Master KeyEncryption Key
  • 8. Copyright © 2018 HashiCorp Auto-unseal: Cloud KMS Providers ▪ AWS KMS ▪ GCP Cloud KMS ▪ Azure Key Vault ▪ AliCloud KMS !8 Key Shares Master Key Encryption Key
  • 9. Copyright © 2018 HashiCorp ▪ Unseal keys not returned to the operator ▪ Recovery key shares returned instead ▪ Recovery keys are used for the following operations – Trigger an auto-unseal – Rekey – Root token generation Auto-unseal vs Shamir !9
  • 10. s Copyright © 2018 HashiCorp !10 Demo
  • 11. s Copyright © 2018 HashiCorp !11 Seal migration
  • 12. Copyright © 2018 HashiCorp ▪ Supports existing installations using Shamir ▪ Migration from Shamir to Auto-unseal ▪ Migration from Auto-unseal to Shamir ▪ Currently, only supported only in OSS due to: – Sealwrap – Replication Seal migration !12
  • 13. s Copyright © 2018 HashiCorp !13 Demo
  • 14. s Copyright © 2018 HashiCorp !14 Batch Tokens
  • 15. Copyright © 2018 HashiCorp ▪ Authentication via auth methods to obtain a Vault token ▪ This applied to all service types, including those in microservice- oriented and FaaS architectures ▪ As more users and services talk to Vault, overhead of token creation becomes a problem ▪ Put a lot of pressure on Vault’s storage backend Authentication !15
  • 16. Copyright © 2018 HashiCorp ▪ Token creation: – 1 primary index, 1 parent index, 1 accessor index, 1 lease write – 4 WAL (write-ahead-log) writes
 ▪ Token revocation: – 4 deletes – 4 WAL additional writes – 8 WAL deletes
 ▪ Minimum 12 writes and 12 deletes per token Lifecycle of a Token !16
  • 17. Copyright © 2018 HashiCorp ▪ Token info is encrypted – Think of it as a JWT, but encrypted instead of signed
 ▪ Meant for batch jobs, single purpose, single use scenarios
 ▪ Not held in storage or in memory ▪ Different guarantees around lifetime and persistence Batch Tokens !17
  • 18. Copyright © 2018 HashiCorp Service Tokens vs Batch Tokens !18 Service Tokens Batch Tokens Can Be Root Tokens Yes No Can Create Child Tokens Yes No Can be Renewable Yes No Can be Periodic Yes No Can have Explicit Max TTL Yes No (always uses a fixed TTL) Has Accessors Yes No Has Cubbyhole Yes No Revoked with Parent (if not orphan) Yes Stops Working Dynamic Secrets Lease Assignment Self Parent (if not orphan) Can be Used Across Performance Replication Clusters No Yes (if orphan) Creation Scales with Performance Standby Node Count No Yes Cost Heavyweight; multiple storage writes per token creation Lightweight; no storage cost for token creation
  • 19. Copyright © 2018 HashiCorp ▪ Most tokens will not have children, unneeded parent entry
 ▪ Explicit revocation unnecessary since it can be trigger by TTL ▪ Mechanisms to (indirectly) revoke leases still exists – Via lease ID – Via parent token revocation Acceptable Trade-offs !19
  • 20. s Copyright © 2018 HashiCorp !20 Demo
  • 21. Copyright © 2018 HashiCorp ▪ GCP KMS Secrets Engine ▪ OpenAPI Support ▪ Vault Agent Auto-auth via AppRole ▪ Kubernetes Projected Service Account Tokens ▪ UI: Response Wrapping ▪ Many more improvements! Additional Features !21