Secret Management: KMS/CredStash/YubiKey/HashiCorp Vault

Name: Secret Management: KMS/CredStash/YubiKey/HashiCorp Vault
Start: 2017-06-17T09:30:00+05:30
End: 2017-06-17T12:45:00+05:30
Location: Philips Lighting India Ltd

Hosted By

Habeeb R. et 3 autres

Secret Management: KMS/CredStash/YubiKey/HashiCorp Vault

Détails

Secret management is an integral part of any infrastructure - be it passwords, api keys, ssh keys, ssl certs and so on. For June meet up, we would like to take look at secret management in and around AWS.

Agenda:

• [9:45-10:15] Data at Rest encryption using AWS KMS [Meenakshi S , Pegasystems]

AWS KMS makes it easy to manage encryption keys used to encrypt data stored by your applications regardless of where you store it. You can easily create, import, and rotate keys, define usage policies, audit usage and integrate it with several other AWS services.

• [10:15-10:35] Using YubiKey Neo for managing SSH private key [Rajiv M Ranganath, Atihita Inc]

YubiKey NEO is a respected security product which can be described as "swiss army knife" for authentication and encryption. In this short presentation and demo, we'll demonstrate the GPG applet feature of YubiKey. YubiKey stores the GPG key material on a secure element

( https://www.justaskgemalto.com/en/what-is-a-secure-element/ ). We will generate a SSH public key from GPG Authentication key and use that to remotely login to our server. SSH also has a feature known as "agent forwarding". We will demonstrate how we can use this feature together with YubiKey Neo securely login to a private network through a bastian host.

• [10:35-11:05] Secret Management with Hashicorp Vault on AWS [Sanjay Bhatt, Pratik Shah and Anjali Pawar, Philips Lighting India Limited]

In this talk we will give an overview on how Hashicorp Vault is helpful in addressing the secrets management:

Vault Setup on AWS: Basics and bootstrapping of vault.

Authentication and Authorization aspect of vault.

Secret management: Storing secrets on vault and its retrieval.

Backup of vault storage and its recovery.

Observations and QA.

• [11:05-11:25] Break

• [11:25-11:45] Vault + Consul: cubbyhole, OTP [Bharath R S, Media.net]
Hashicorp vault in combination with consul is an effective tool for managing secrets and secure login to servers. We shall discuss the implementation of cubbyhole, OTP based authentication principles and the importance of consul-replicate in multi datacenter deployments.

• [11:45-12:00] Storing your secrets using CredStash(KMS/DynamoDB) [Habeeb Rahman, LogMeIn]

CredStash is a very simple, easy-to-use credential management and distribution system that uses:

AWS Key Management System (KMS) for key wrapping and master key storage;

And DynamoDB for credential storage and sharing.

• [12:00-12:30] Off the Record: Q&A