diff --git a/content/slides/privacy/images/vault/password_management.jpg b/content/slides/privacy/images/vault/password_management.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..aca3bef43b6c0b99e1961b5a675c1f20e00b935c
Binary files /dev/null and b/content/slides/privacy/images/vault/password_management.jpg differ
diff --git a/content/slides/privacy/md/vault.md b/content/slides/privacy/md/vault.md
index fc64af9bb9577b3f91a57c83df9a6e8d6555b50d..211ac5e0ff0008bf666487e497ab1424bc85944e 100644
--- a/content/slides/privacy/md/vault.md
+++ b/content/slides/privacy/md/vault.md
@@ -28,10 +28,10 @@
## gestion de mot de passe
-[ photo ]
+<!-- .element width="80%" -->
-## servicess
+## services
* [LastPass](https://www.lastpass.com/fr)
* [Dashlane](https://www.dashlane.com/)
@@ -48,19 +48,35 @@
* [KeePass2Android](https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=fr)
* iKeePass?
-* pas de gestion collaborative
-* pas d'ACL
+<br />
+
+### pas de gestion collaborative!
+### pas d'ACL!
## Vault
* Un binaire: [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
- * serveur
- * créer un service systemd
+ * un serveur
+ * une api
+ * une UI
+ * un cli
- * cli
- * `/usr/local/bin/vault `
+* [écrit en go](https://github.com/hashicorp/hcl)
+* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
+* cross plateform
+
+
+## Utilisation
+
+* via la ligne de commande
+ * [binaire à télécharger](https://releases.hashicorp.com/vault/)
+ * cross plateform
+ * deux variables d'environnement
+ * $VAULT_ADDR=https://vault.isima.fr
+ * $VAULT_TOKEN ou authentification ldap
+* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
## Configuration
@@ -181,68 +197,33 @@ $ vault login -method=ldap username=vimazeno
* stocke le token d'authentificayion dans ~/.vault-token
-## LDAP
-
-```shell
-$ vault write auth/ldap/config \
- url="ldaps://samantha.local.isima.fr" \
- userattr="sAMAccountName" \
- userdn="dc=local,dc=isima,dc=fr" \
- groupattr="cn" \
- groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
- groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
- binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
- bindpass="secret" \
- insecure_tls="false" \
- starttls="true"
-```
-
-[<i class="fa fa-book" aria-hidden="true"></i> LDAP Auth Method](https://www.vaultproject.io/docs/auth/ldap.html)
-
-
## Policy
-/etc/vault/users/cri.hcl
+description `/etc/vault/cri.hcl` ([hcl](https://github.com/hashicorp/hcl))
```
# Write and manage secrets in key-value secret engine
path "cri/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}
-
-# To enable secret engines
-path "sys/mounts/*" {
- capabilities = [ "create", "read", "update", "delete" ]
-}
-
-path "cubbyhole/*" {
- capabilities = ["create", "read", "update", "delete", "list"]
-}
-
```
+* écriture
+
```shell
-$ vault policy write cri /etc/vault/cri.hcl
+$ vault policy write cri `/etc/vault/cri.hcl`
```
-
-
-## appliquer une policy à un groupe ldap
+* application à un groupe
```shell
$ vault write auth/ldap/groups/cri policies=cri
```
+* création de token à aprtir de la policy
-## Utilisation
-
-* via la ligne de commande
- * [binaire à télécharger](https://releases.hashicorp.com/vault/)
- * cross plateform
- * deux variables d'environnement
- * $VAULT_ADDR=https://vault.isima.fr
- * $VAULT_TOKEN ou authentification ldap
-* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
-
+```shell
+$ vault token create -policy=cri
+```
## Workflow
@@ -259,26 +240,6 @@ $ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
$ vault delete cri/test
```
-
-## création de token
-
-my.hcl
-
-```
-path "secret/data/cri/apps/my" {
- capabilities = ["create", "read", "update", "delete", "list"]
-}
-```
-
-```shell
-$ vault policy write vault/hcl/apps/my.hcl
-$ vault token create -policy=my
-```
-
-
-## Audit
-
-
## avec ansible
* lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)