add vault

content/slides/index.html

@@ -20,6 +20,7 @@
       <li><a href="privacy/TLSvsPGP.html">tls vs PGP</a></li>
       <li><a href="privacy/tor.html">tor</a></li>
       <li><a href="privacy/tails.html">tails</a></li>
+      <li><a href="privacy/vault.html">vault</a></li>
       <li><a href="privacy/bitcoin.html">bitcoin</a></li>
     </ul>
   </li>

content/slides/privacy/md/vault.md

+#### Des secrets, des apps, des tokens, une équipe, un séquestre 
+
+## Vault en bref!
+
+![vault](../cri/images/vault.png "vault")<!-- .element width="30%" -->
+
+**By HashiCorp**
+
+
+## Les mots de passes
+
+1. ça ne se prête pas
+2. ça ne se laisse pas traîner à la vue de tous
+3. ça ne s'utilise qu'une fois
+4. si ça casse on remplace immédiatement
+5. un peu d'originalité ne nuit pas
+6. la taille compte
+7. il y a une date de péremption
+8. mieux vaut les avoir avec soi
+
+
+## C'est une question d'hygiène!
+
+![preservatif](images/passwords/preservatif-darvador.jpg)<!-- .element width="30%" -->
+
+[CNIL / Authentification par mot de passe : les mesures de sécurité élémentaires](https://www.cnil.fr/fr/authentification-par-mot-de-passe-les-mesures-de-securite-elementaires)
+
+
+## gestion de mot de passe
+
+[ photo ]
+
+
+## servicess
+
+* [LastPass](https://www.lastpass.com/fr)
+* [Dashlane](https://www.dashlane.com/)
+* [iCloud](https://www.icloud.com/), ...
+* [Google chrome](https://passwords.google.com/settings/passwords)
+
+![/o\](images/passwords/password.google.png)
+
+
+## KeePass
+
+* [KeePassXC](https://keepassxc.org/)
+* [<i class="fa fa-firefox" aria-hidden="true"></i> <i class="fa fa-chrome" aria-hidden="true"></i> KeePassXC-Browser Migration](https://keepassxc.org/docs/keepassxc-browser-migration/)
+* [KeePass2Android](https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=fr)
+* iKeePass?
+
+* pas de gestion collaborative
+* pas d'ACL
+
+
+## Vault
+
+* Un binaire: [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
+
+  * serveur
+    * créer un service systemd
+
+  * cli
+    * `/usr/local/bin/vault `
+
+
+## Configuration
+
+`/etc/vault/vault.hcl`
+
+```
+backend "file" {
+  path = "/var/lib/vault"
+}
+ui = true
+disable_mlock = true
+listener "tcp" {
+  address     = "10.0.0.1:443"
+  tls_cert_file = "/etc/certs/vault.crt"
+  tls_key_file  =  "/etc/certs/vault.key"
+  tls_disable   = 0
+}
+```
+
+
+## Initialisation SSS (Shamir's Secret Sharing)
+
+```shell
+export VAULT_ADDR=https://10.0.0.1
+export VAULT_SKIP_VERIFY=True
+vault operator init -key-shares=3 -key-threshold=2
+```
+
+```shell
+Unseal Key 1: 6gAO3lmAhIaHzDAdkK256g2B2Dpeqy+z4jqQCJBID3d8
+Unseal Key 2: TO7DDRQXSPC3IQylPEBPjPGAGAGMzjEkjT/FL62m7UUd
+Unseal Key 3: CYfEbt83jYsQFcSErHT4Y5NCsrEtfFUE6tjQZKfP632K
+
+Initial Root Token: s.78MykQO2b5qcy03rtoNwmhr1
+
+Vault initialized with 3 key shares and a key threshold of 2. Please securely
+distribute the key shares printed above. When the Vault is re-sealed,
+restarted, or stopped, you must supply at least 2 of these keys to unseal it
+before it can start servicing requests.
+
+Vault does not store the generated master key. Without at least 2 key to
+reconstruct the master key, Vault will remain permanently sealed!
+
+It is possible to generate new unseal keys, provided you have a quorum of
+existing unseal keys shares. See "vault operator rekey" for more information.
+```
+
+
+## [<i class="fa fa-book" aria-hidden="true"></i> Secrets engines](https://www.vaultproject.io/docs/secrets/)
+
+!["secrets engines"](../cri/images/vault-secrets-engines.png "secrets engines")
+
+
+## KV
+
+```shell
+$ vault kv get cri/test
+====== Data ======
+Key          Value
+---          -----
+password1    secret$
+
+$ vault kv put cri/test password2=secret!
+Success! Data written to: cri/test
+
+$ vault kv get cri/test
+====== Data ======
+Key          Value
+---          -----
+password2    secret!
+```
+
+
+## KV2
+
+```shell
+vault secrets enable -path=cri kv
+vault kv enable-versioning cri/ # kv2
+```
+
+* les secrets sont versionnés
+* il est possible d'utiliser PATCH et pas seulement PUT
+
+```shell
+$ vault kv patch cri/test password1=secret$
+Success! Data written to: cri/test
+
+$ vault kv get cri/test
+====== Data ======
+Key          Value
+---          -----
+password1    secret$
+password2    secret!
+```
+
+
+## Authentification
+
+!["authentification"](../cri/images/vault-auth.png "authentification")
+
+
+## Authentification
+
+```shell
+vault login token=<root-token>
+```
+
+* par token
+  * root
+  * d'application
+
+```shell
+$ vault login -method=ldap username=vimazeno
+```
+
+* par ldap
+  * stocke le token d'authentificayion dans ~/.vault-token
+
+
+## LDAP
+
+```shell
+$ vault write auth/ldap/config \
+    url="ldaps://samantha.local.isima.fr" \
+    userattr="sAMAccountName" \
+    userdn="dc=local,dc=isima,dc=fr" \
+    groupattr="cn" \
+    groupfilter="(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={{.UserDN}}))" \
+    groupdn="ou=GROUPES_LOCAUX,dc=local,dc=isima,dc=fr" \
+    binddn="cn=vault,ou=Comptes de Services,dc=local,dc=isima,dc=fr" \
+    bindpass="secret" \
+    insecure_tls="false" \
+    starttls="true"
+```
+
+[<i class="fa fa-book" aria-hidden="true"></i> LDAP Auth Method](https://www.vaultproject.io/docs/auth/ldap.html)
+
+
+## Policy
+
+/etc/vault/users/cri.hcl
+
+```
+# Write and manage secrets in key-value secret engine
+path "cri/*" {
+  capabilities = ["create", "read", "update", "delete", "list", "sudo"]
+}
+
+# To enable secret engines
+path "sys/mounts/*" {
+  capabilities = [ "create", "read", "update", "delete" ]
+}
+
+path "cubbyhole/*" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+
+```
+
+```shell
+$ vault policy write cri /etc/vault/cri.hcl
+```
+
+
+## appliquer une policy à un groupe ldap
+
+```shell
+$ vault write auth/ldap/groups/cri policies=cri
+```
+
+
+## Utilisation
+
+* via la ligne de commande
+  * [binaire à télécharger](https://releases.hashicorp.com/vault/)
+    * cross plateform
+    * deux variables d'environnement
+      * $VAULT_ADDR=https://vault.isima.fr
+      * $VAULT_TOKEN ou authentification ldap
+* via l'[<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
+
+
+## Workflow
+
+```shell
+$ vault secrets list
+$ vault kv list cri/
+$ vault kv get cri/services/vault/tokens
+$ vault kv get cri/services/vault/tokens # à chaque put on écrase les entrées qu'on ne réécrit pas
+$ vault kv get -format=json cri/services/vault/tokens
+$ vault kv get -format=json cri/services/vault/tokens | jq .data
+$ vault kv get -format=json cri/services/vault/tokens | jq .data.data.root
+$ vault kv put cri/test password2=$(date | sha256sum | cut -c -50)
+$ vault kv patch cri/test password1=$(date | sha256sum | cut -c -50)
+$ vault delete cri/test
+```
+
+
+## création de token
+
+my.hcl
+
+```
+path "secret/data/cri/apps/my" {
+  capabilities = ["create", "read", "update", "delete", "list"]
+}
+```
+
+```shell
+$ vault policy write vault/hcl/apps/my.hcl
+$ vault token create -policy=my
+```
+
+
+## Audit
+
+
+## avec ansible
+
+* lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
+  * lecture uniquement
+  * pas de support natif pour kv2 à ce jour
+  * [patch maison](https://gitlab.isima.fr/cri/stack/blob/master/ansible/plugins/module_utils/vault.py)
+* module "community" [hashivault](https://github.com/TerryHowe/ansible-modules-hashivault)
+  * Reading and Writing
+    * supporte kv2
+  * Initialization, Seal, and Unseal
+  * Policy
+  * User Management
+  * ...
\ No newline at end of file

content/slides/privacy/vault.html

+<!doctype html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
+
+    <title>Vault</title>
+
+    <link rel="stylesheet" href="../../node_modules/reveal.js/css/reveal.css">
+    <link rel="stylesheet" href="../../node_modules/reveal.js/css/theme/white.css">
+    <link rel="stylesheet" href="../main.css">
+
+    <!-- Theme used for syntax highlighting of code -->
+    <link rel="stylesheet" href="../../node_modules/reveal.js/lib/css/zenburn.css">
+    <link rel="stylesheet" href="../../node_modules/font-awesome/css/font-awesome.min.css">
+
+    <!-- Printing and PDF exports -->
+    <script>
+      var link = document.createElement( 'link' );
+      link.rel = 'stylesheet';
+      link.type = 'text/css';
+      link.href = window.location.search.match( /print-pdf/gi ) ? '../../node_modules/reveal.js/css/print/pdf.css' : '../../node_modules/reveal.js/css/print/paper.css';
+      document.getElementsByTagName( 'head' )[0].appendChild( link );
+    </script>
+  </head>
+  <body>
+    <div class="reveal">
+      <div class="slides">
+        <section data-markdown="md/vault.md"
+         data-separator="^\n\n\n"
+         data-separator-vertical="^\n\n"
+         data-separator-notes="^Note:"
+         data-charset="utf-8">
+       </section>
+      </div>
+    </div>
+
+    <script src="../../node_modules/reveal.js/lib/js/head.min.js"></script>
+    <script src="../../node_modules/reveal.js/js/reveal.js"></script>
+
+    <script>
+      // More info about config & dependencies:
+      // - https://github.com/hakimel/reveal.js#configuration
+      // - https://github.com/hakimel/reveal.js#dependencies
+      Reveal.initialize({
+        controls: true,
+        progress: true,
+        history: true,
+        center: false,
+        dependencies: [
+          { src: '../../node_modules/reveal.js/plugin/markdown/marked.js' },
+          { src: '../../node_modules/reveal.js/plugin/markdown/markdown.js' },
+          { src: '../../node_modules/reveal.js/plugin/notes/notes.js', async: true },
+          { src: '../../node_modules/reveal.js/plugin/highlight/highlight.js', async: true, callback: function() { hljs.initHighlightingOnLoad(); } }
+        ]
+      });
+    </script>
+  </body>
+</html>