secrets are secrets. please, maintain keep them
TRANSCRIPT
S E C R E T S A R E S E C R E T S .P L E A S E , M A I N T A I N
K E E P T H E M ! .
A L E X S O T O B - L O R D O F T H E J A R S . C O M
alexsotoblordofthejars
alexsotoblordofthejars
Q U E S T I O N S
alexsotoblordofthejars
W H O E N C R Y P T P A S S W O R D S I NR E S O U R C E F I L E S ?
alexsotoblordofthejars
<<ResourceResourceidid==”myds””myds”typetype==”DataSource””DataSource”>>
JdbcDriver=org.hsqldb.jdbc.JDBCDriverJdbcDriver=org.hsqldb.jdbc.JDBCDriver
JdbcUrl=jdbc:hsqldb:mem:my-datasourceJdbcUrl=jdbc:hsqldb:mem:my-datasource
Username=SAUsername=SA
Password=SAPassword=SA
</</ResourceResource>>
A P A C H E T O M E E R E S O U R C E S
alexsotoblordofthejars
<<ResourceResourceidid==”myds””myds”typetype==”DataSource””DataSource”>>
JdbcDriver=org.hsqldb.jdbc.JDBCDriverJdbcDriver=org.hsqldb.jdbc.JDBCDriver
JdbcUrl=jdbc:hsqldb:mem:my-datasourceJdbcUrl=jdbc:hsqldb:mem:my-datasource
Username=SAUsername=SA
Password=xMH5uM1V9vQzVUv5LG7YLA==Password=xMH5uM1V9vQzVUv5LG7YLA==
PasswordCipher=AESPasswordCipher=AES
</</ResourceResource>>
<<ResourceResourceidid==”myresource””myresource”class-nameclass-name==""org.superbiz.VaultGatewayorg.superbiz.VaultGateway"">>
//.....//.....
VaultPassword=cipher:AES:xMH5uM1V9vQzVUv5LG7YLA==VaultPassword=cipher:AES:xMH5uM1V9vQzVUv5LG7YLA==
</</ResourceResource>>
A P A C H E T O M E E R E S O U R C E S
alexsotoblordofthejars
publicpublicAESPasswordCipherAESPasswordCipher(()){{
thisthis..keykey==readKeyFromDiskreadKeyFromDisk(());;
thisthis..secretKeysecretKey==newnewSecretKeySpecSecretKeySpec((keykey,,"AES""AES"));;
}}
publicpublicStringStringdecryptdecrypt((charchar[[]]charschars)){{
CiphercipherCiphercipher==CipherCipher..getInstancegetInstance(("AES""AES"));;
ciphercipher..initinit((CipherCipher..DECRYPT_MODEDECRYPT_MODE,,secretKeysecretKey));;
bytebyte[[]]rawraw==Base64Base64..getDecodergetDecoder(())..decodedecode((toByteArraytoByteArray((charschars))));;
bytebyte[[]]stringBytesstringBytes==ciphercipher..doFinaldoFinal((rawraw));;
StringclearTextStringclearText==newnewStringString((stringBytesstringBytes,,"UTF8""UTF8"));;
returnreturnclearTextclearText;;
}}
publicpubliccharchar[[]]encryptencrypt((StringsStrings)){{}}
I M P L E M E N T A T I O N
alexsotoblordofthejars
C H I C K E N - E G G P R O B L E M
alexsotoblordofthejars
M O N O L I T H A R C H I T E C T U R E
alexsotoblordofthejars
M I C R O S E R V I C E S A R C H I T E C T U R E ?
alexsotoblordofthejars
https://vaultproject.io/
A T O O L F O R M A N A G I N GS E C R E T S
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
DynamicSecrets
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
DynamicSecretsDataEncryption
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
DynamicSecretsDataEncryption
Leasing,Renewing,Revocation
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
DynamicSecretsDataEncryption
Leasing,Renewing,RevocationAuditing
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
DynamicSecretsDataEncryption
Leasing,Renewing,RevocationAuditingACL
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
DynamicSecretsDataEncryption
Leasing,Renewing,RevocationAuditingACL
MultipleAuthenticationMethods
alexsotoblordofthejars
V A U L T F E A T U R E SSecureSecretStorage
DynamicSecretsDataEncryption
Leasing,Renewing,RevocationAuditingACL
MultipleAuthenticationMethodsRESTAPI
alexsotoblordofthejars
S E C U R E S E C R E T S T O R A G E
alexsotoblordofthejars
L E T ' S S E E I N A C T I O N
alexsotoblordofthejars
M I C R O S E R V I C E S A P P R O A C H
A P P I D A U T H
N E E D Y O U R H E L P
alexsotoblordofthejars
A P P I DRandomUniqueChunk
alexsotoblordofthejars
A P P I DRandomUniqueChunk
UniquetoApplication(akaService)
alexsotoblordofthejars
A P P I DRandomUniqueChunk
UniquetoApplication(akaService)GeneratedbyOperator
alexsotoblordofthejars
A P P I DRandomUniqueChunk
UniquetoApplication(akaService)GeneratedbyOperator
StoredinConfigurationManagement
alexsotoblordofthejars
U S E R I DIntrinsicProperties
alexsotoblordofthejars
U S E R I DIntrinsicPropertiesUniquetoInstance
alexsotoblordofthejars
U S E R I DIntrinsicPropertiesUniquetoInstance
GeneratedbyCloudInitScript
alexsotoblordofthejars
login
E A C H S E R V I C E
W I T H T U P L E { A P P I D , U S E R I D }
alexsotoblordofthejars
E X A M P L E W I T H D O C K E R
C U B B Y H O L E A U T H E N T I C A T I O N M E T H O D
C U B B Y H O L EtempTokenwithTTLandLimits
alexsotoblordofthejars
C U B B Y H O L EtempTokenwithTTLandLimitspermTokentoaccessrealdata
alexsotoblordofthejars
C U B B Y H O L EtempTokenwithTTLandLimitspermTokentoaccessrealdataGeneratedbyCloudInitScript
alexsotoblordofthejars
$$>>vaulttokenvaulttoken--createcreate--useuse--limitlimit==33
$$>>vaultauthvaultauth......#Firstusage#Firstusage
$$>>vaultwritecubbyholevaultwritecubbyhole//service11tokenservice11token==......#Secondusage#Secondusage
$$>>vaultreadcubbyholevaultreadcubbyhole//service11#Thirdusageservice11#Thirdusage
$$>>vaultreadcubbyholevaultreadcubbyhole//service11service11
ErrorreadingcubbyholeErrorreadingcubbyhole//tokentoken::ErrormakingAPIrequestErrormakingAPIrequest..
URLURL::GEThttpGEThttp::////127.0127.0..0.10.1::82008200//v1v1//cubbyholecubbyhole//tokentoken
CodeCode::403403..ErrorsErrors::
C L I
alexsotoblordofthejars
L E T ' S W I N D D OW N
alexsotoblordofthejars
V A U L T I S A S E R V I C E
alexsotoblordofthejars
T H E R E I S N O S I L V E R B U L L E T
Q U E S T I O N S
alexsotoblordofthejars