Skip to content
Snippets Groups Projects
Commit 8226de1f authored by Vincent Mazenod's avatar Vincent Mazenod
Browse files

finish vault

parent 7f17c786
No related branches found
No related tags found
No related merge requests found
Pipeline #4300 passed
content/slides/cri/images/vault-auth.png

33.1 KiB | W: | H:

content/slides/cri/images/vault-auth.png

33.4 KiB | W: | H:

content/slides/cri/images/vault-auth.png
content/slides/cri/images/vault-auth.png
content/slides/cri/images/vault-auth.png
content/slides/cri/images/vault-auth.png
  • 2-up
  • Swipe
  • Onion skin
content/slides/cri/images/vault-secrets-engines.png

29.3 KiB | W: | H:

content/slides/cri/images/vault-secrets-engines.png

29.5 KiB | W: | H:

content/slides/cri/images/vault-secrets-engines.png
content/slides/cri/images/vault-secrets-engines.png
content/slides/cri/images/vault-secrets-engines.png
content/slides/cri/images/vault-secrets-engines.png
  • 2-up
  • Swipe
  • Onion skin
content/slides/privacy/images/vault/web.png

28 KiB

#### Des secrets, des apps, des tokens, des équipes, un séquestre
## Vault en bref!
![vault](../cri/images/vault.png "vault")<!-- .element width="30%" -->
**By HashiCorp**
## Les mots de passes
1. ça ne se prête pas
2. ça ne se laisse pas traîner à la vue de tous
3. ça ne s'utilise qu'une fois
4. si ça casse on remplace immédiatement
5. un peu d'originalité ne nuit pas
6. la taille compte
7. il y a une date de péremption
8. mieux vaut les avoir avec soi
## C'est une question d'hygiène!
![preservatif](images/passwords/preservatif-darvador.jpg)<!-- .element width="30%" -->
[CNIL / Authentification par mot de passe : les mesures de sécurité élémentaires](https://www.cnil.fr/fr/authentification-par-mot-de-passe-les-mesures-de-securite-elementaires)
## gestion de mot de passe
![vault](images/vault/password_management.jpg "vault")<!-- .element width="80%" -->
## services
* [LastPass](https://www.lastpass.com/fr)
* [Dashlane](https://www.dashlane.com/)
* [iCloud](https://www.icloud.com/), ...
* [Google chrome](https://passwords.google.com/settings/passwords)
#### Des secrets, des apps, des tokens, des équipes, un séquestre
![/o\](images/passwords/password.google.png)
## Vault
## KeePass
* By HashiCorp
* [écrit en go](https://github.com/hashicorp/hcl)
* cross plateform
* [hcl](https://github.com/hashicorp/hcl)
* intégration avec [consul](https://www.consul.io) & [terraform](https://www.terraform.io/)
* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
* [documenté](https://www.vaultproject.io/docs/)
* ... couteau suisse
* [KeePassXC](https://keepassxc.org/)
* [<i class="fa fa-firefox" aria-hidden="true"></i> <i class="fa fa-chrome" aria-hidden="true"></i> KeePassXC-Browser Migration](https://keepassxc.org/docs/keepassxc-browser-migration/)
* [KeePass2Android](https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=fr)
* iKeePass?
<br />
## Vault
### pas de gestion collaborative!
### pas d'ACL!
* Un binaire [vault](https://releases.hashicorp.com/vault/) qui fait
* serveur
* [<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
* UI web
* cli
```shell
$ export $VAULT_ADDR=https://10.0.0.1
```
## Vault
* Un binaire: [https://releases.hashicorp.com/vault/](https://releases.hashicorp.com/vault/)
## Configuration
* un serveur
* un cli
* une [<i class="fa fa-book" aria-hidden="true"></i> api](https://www.vaultproject.io/api/overview)
* une UI web
`/etc/vault/vault.hcl`
* [écrit en go](https://github.com/hashicorp/hcl)
* [auditable](https://www.vaultproject.io/docs/commands/audit/enable.html)
* cross plateform
```
backend "file" {
path = "/var/lib/vault"
}
ui = true
disable_mlock = true
listener "tcp" {
address = "10.0.0.1:443"
tls_cert_file = "/etc/certs/vault.crt"
tls_key_file = "/etc/certs/vault.key"
tls_disable = 0
}
```
## Initialisation SSS (Shamir's Secret Sharing)
## initialisation SSS
### Shamir's Secret Sharing
```shell
export VAULT_ADDR=https://10.0.0.1
export VAULT_SKIP_VERIFY=True
vault operator init -key-shares=3 -key-threshold=2
$ vault operator init -key-shares=3 -key-threshold=2
```
```shell
......@@ -90,9 +70,6 @@ before it can start servicing requests.
Vault does not store the generated master key. Without at least 2 key to
reconstruct the master key, Vault will remain permanently sealed!
It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
```
......@@ -103,44 +80,47 @@ existing unseal keys shares. See "vault operator rekey" for more information.
## Authentification
par token
```shell
vault login token=<root-token>
$ vault login token=<root-or-app-token>
```
* par token
* root
* d'application
equivalent à
```shell
$ vault login -method=ldap username=vimazeno
$ export VAULT_TOKEN token=<root-or-app-token>
```
* par ldap
* stocke le token d'authentificayion dans ~/.vault-token
par ldap
```shell
$ vault login -method=ldap username=mazenovi
```
stocke le token dans `~/.vault-token` et `$VAULT_TOKEN`
## Policy
description `/etc/vault/cri.hcl` ([hcl](https://github.com/hashicorp/hcl))
## Policy (ACL)
```
path "cri/*" {
capabilities = ["create", "read", "update", "delete", "list", "sudo"]
capabilities = ["create", "read", "update", "delete", "list"]
}
```
* écriture
écriture
```shell
$ vault policy write cri `/etc/vault/cri.hcl`
```
* application à un groupe
application à un groupe ldap
```shell
$ vault write auth/ldap/groups/cri policies=cri
```
* création de token à aprtir de la policy
création de token à partir de la policy
```shell
$ vault token create -policy=cri
......@@ -152,11 +132,7 @@ $ vault token create -policy=cri
!["secrets engines"](../cri/images/vault-secrets-engines.png "secrets engines")
## Workflow
* deux variables d'environnement
* $VAULT_ADDR=https://vault.isima.fr
* $VAULT_TOKEN ou authentification ldap
## workflow
```shell
$ vault secrets list
......@@ -171,49 +147,6 @@ $ vault delete cri/test
```
## KV
```shell
$ vault kv get cri/test
====== Data ======
Key Value
--- -----
password1 secret$
$ vault kv put cri/test password2=secret!
Success! Data written to: cri/test
$ vault kv get cri/test
====== Data ======
Key Value
--- -----
password2 secret!
```
## KV2
```shell
vault secrets enable -path=cri kv
vault kv enable-versioning cri/ # kv2
```
* les secrets sont versionnés
* il est possible d'utiliser PATCH et pas seulement PUT
```shell
$ vault kv patch cri/test password1=secret$
Success! Data written to: cri/test
$ vault kv get cri/test
====== Data ======
Key Value
--- -----
password1 secret$
password2 secret!
```
## avec ansible
* lookup natif [hashi_vault](https://docs.ansible.com/ansible/latest/plugins/lookup/hashi_vault.html)
......@@ -225,4 +158,14 @@ password2 secret!
* supporte kv2
* Initialization, Seal, and Unseal
* Policy
* User Management
\ No newline at end of file
* User Management
## UI
!["UI"](images/vault/web.png "UI")
## Merci !!
!["carnets mots de passe"](images/vault/password_management.jpg "carnets mots de passe")<!-- .element width="80%" -->
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment