Verteilte Konfiguration und Verwaltung sensibler Daten mit Spring Cloud Config und Vault
Andreas Falk
Präsentation und Demos: https://github.com/andifalk/w-jax-2017
Andreas Falk
NovaTec Consulting GmbH (Stuttgart/Germany)
Authentication (OAuth2/OIDC): OK!
Authorization: OK!
What about sensitive data?
EU General Data Protection Regulation (GDPR)
“...should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default”http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679 (78)
A3: Sensitive Data Exposure
Typical Sensitive Data
Passwords
Service credentials (DB, Messaging, ...)
OAuth2 client secrets
Encryption keys
Credit card numbers
Personal data
Application-xxx.Yaml
Database access credentials
spring:
datasource:
url: jdbc:postgresql://localhost/test
username: root
password: mysupersecretpassword
Key Management
Security Evolution
Introduction
https://www.vaultproject.io
“A Security Swiss Army Knife”
Jeff Mitchell, Vault Lead, HashiCorp
A Tool for Managing Secrets like...
- Tokens
- Passwords
- MFA
- X.509 Certificates
- API keys
- DB credentials
Key Features
Secure Secret Storage
Dynamic Secrets
Data Encryption (AES cypher)
Leasing, Renewal & Revocation
Operational Features
Authentication
Authorization (ACL)
Audit Logs
High Availability Mode (HA)
Architecture I
Architecture II
Key Shares
Spring Vault
Encryption as a service
Spring Cloud Vault
Secret vault mapping
bootstrap.properties
spring.cloud.vault.generic.application-name =
application1,additional/keys
#spring.cloud.vault.application-name = ...
#spring.application.name = ...
Mapped secret paths in vault
/secret/application1
/secret/application1/myprofile
/secret/additional/keys
/secret/application
/secret/application/myprofile
Rotate Database Credentials
bootstrap.yml
spring.cloud.vault:
postgresql:
enabled: true
role: readonly
backend: postgresql
username-property: spring.datasource.username
password-property: spring.datasource.username
Spring Cloud Config Vault Environment Repository
application.properties (Config Server)
spring.profiles.active=git,vault
spring.cloud.config.server.vault.host=127.0.0.1
spring.cloud.config.server.vault.port=8200
spring.cloud.config.server.vault.scheme=https
bootstrap.properties (Client)
spring.cloud.config.token = YourVaultToken
https://github.com/hashicorp/vault-service-broker
https://github.com/pivotal-cf/spring-cloud-vault-connector
Roadmap
Spring (Cloud) Vault 2.0 M3
Spring 5 Support
Reactive Support (Reactive Vault Template)
Target Security Level?
But HSM...
...Not Cloud Friendly or...
...Quite expensive (AWS ~ 18000 $/year)
Q&A
http://www.novatec-gmbh.de http://blog.novatec-gmbh.de
andreas.falk@novatec-gmbh.de
@NT_AQE, @andifalk
References
- Vault (https://www.vaultproject.io)
- Shamir's secret sharing (https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
- Spring Cloud Config (https://cloud.spring.io/spring-cloud-config/)
- Spring Vault (https://projects.spring.io/spring-vault)
- Spring Cloud Vault (https://cloud.spring.io/spring-cloud-vault)
- Cloud Foundry Vault Service Broker (https://github.com/hashicorp/vault-service-broker)
- Sources and Presentation (https://github.com/andifalk/w-jax-2017)
All images used are from Pixabay and are published under Creative Commons CC0 license.
All used logos are trademarks of corresponding companies