SlideShare a Scribd company logo

Using Vault for your Nodejs Secrets

Download as PPTX, PDF
T
Taswar Bhatti

The document discusses the management of secrets in Node.js applications using Vault, highlighting the risks associated with secret sprawl in source code and configuration management. It details Vault's capabilities for centralized secret management, including encryption, access controls, dynamic secrets, and an audit trail while emphasizing the importance of securely unsealing the vault with multiple keys. Additionally, it covers practical applications for integrating Vault with Docker and Kubernetes for secure authentication and role-based access control.

Technology
1 of 25
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Using vault for your NodeJS Secrets Taswar Bhatti – Solutions Architect Gemalto
Secrets •
About me • Taswar Bhatti (Microsoft MVP) • @taswarbhatti • http://taswar.zeytinsoft.com • Gemalto (System Architect)
So what are secrets? • Secrets grants you AuthN or AuthZ to a system • Examples • Username & Passwords • Database credentials • API Token • TLS Certs
Secret Sprawl • Secrets ends up in • Source Code • Version Control Systems (Github, Gitlab, Bitbucket etc) • Configuration Management (Chef, Puppet, Ansible etc)
Issues • How do we know who has access to those secrets • When was the last time they accessed it? • What if we want to change/rotate the secrets
Desire secrets • Encryption in rest and transit • Only decrypted in memory • Access control • Rotation & Revocation
Secret Management - Vault • Centralized Secret Management • Encrypted at rest and transit • Lease and Renewal • ACL • Audit Trail • Multiple Client Auth Method (Ldap,Github, approle) • Dynamic Secrets • Encryption as a Service
Dynamic Secrets • Allows one to lease a secret for a period of time e.g 2 hrs • Generates on demand and unique for each user/consumption • Audit trail
Secure Secrets • AES 256 with GCM encryption • TLS 1.2 for clients • No HSM is required
Unsealing the Vault • Vault requires encryption keys to encrypt data • Shamir Secret Key Sharing • Master key is split into multiple keys
Shamir Secret Sharing
Unseal • Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC • Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE • Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF • Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815 • Vault initialized with 5 keys and a key threshold of 3. Please • securely distribute the above keys. When the Vault is re-sealed, • restarted, or stopped, you must provide at least 3 of these keys • to unseal it again. • Vault does not store the master key. Without at least 3 keys, • your Vault will remain permanently sealed.
How to unseal • vault unseal -address=${VAULT_ADDR} QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • vault unseal -address=${VAULT_ADDR} bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • vault unseal -address=${VAULT_ADDR} Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
Writing Secrets • vault write -address=${VAULT_ADDR} secret/hello value=world • vault read -address=${VAULT_ADDR} secret/hello • Key Value • --- ----- • refresh_interval 768h0m0s • Value world
Policy on secrets • We can assign application roles to the policy path "secret/web/*" { policy = "read" } • vault policy write -address=${VAULT_ADDR} web-policy ${DIR}/web-policy.hcl
Reading secrets based on policy • vault read -address=${VAULT_ADDR} secret/web/web-apps • vault read -address=${VAULT_ADDR} secret/hello • Error reading secret/hello: Error making API request. • URL: GET http://127.0.0.1:8200/v1/secret/hello • Code: 403. Errors: • * permission denied
Demo Using Vault
Demo Docker Environment VAR • Issues with env variables
Mount Temp File System into App • docker run –v /hostsecerts:/secerts …. • To mitigate reading from Env • Store your wrap token in the filesystem to use with vault • Have limit time on wrap token
Wrap Token for App Secrets • Limit time token • Used to unwrap some secrets • vault read -wrap-ttl=60s -address=http://127.0.0.1:8200 secret/weatherapp/config • Key Value • --- ----- • wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7 • wrapping_token_ttl: 1m0s • wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC • wrapping_token_creation_path: secret/weatherapp/config
App Roles • Allows machines or apps to authenticate with Vault • Using a role_id and secret_id as credentials • Assign polices to the app • Once logged in you get back a token to get secrets
Demo App Using Node
Kubernetes with Vault • Read Service Account JWT • App Sends Jwt and Role Name to Vault • Vault checks the signature of Jwt • Sends to TokenReviewer API • Vault sends back valid token for app
Thankyou • Contact me (taswar.bhatti@gemalto.com) • @taswarbhatti

More Related Content

What's hot (20)

PPTX
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
PPTX
Azure Key Vault - Getting Started
Taswar Bhatti
 
PDF
Secret Management with Hashicorp’s Vault
AWS Germany
 
PPTX
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
PDF
Credential store using HashiCorp Vault
Mayank Patel
 
PDF
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
PDF
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
PPTX
Global Azure Bootcamp 2017 - Azure Key Vault
Alberto Diaz Martin
 
PPT
Steve Jones - Encrypting Data
Red Gate Software
 
PDF
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
PPTX
Blockchain on AWS
AWS Riyadh User Group
 
PPTX
Securing Your MongoDB Deployment
MongoDB
 
PDF
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
DevClub_lv
 
PDF
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
DevClub_lv
 
PPTX
Cloud Design Patterns - Hong Kong Codeaholics
Taswar Bhatti
 
PDF
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
PPTX
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Ed Leighton-Dick
 
PPTX
Securing AWS Accounts with Hashi Vault
Shrivatsa Upadhye
 
PPTX
Protecting Your Data with Encryption
Ed Leighton-Dick
 
Techdays Finland 2018 - Building secure cloud applications with Azure Key Vault
Tom Kerkhove
 
Azure Key Vault - Getting Started
Taswar Bhatti
 
Secret Management with Hashicorp’s Vault
AWS Germany
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
An Nguyen
 
Credential store using HashiCorp Vault
Mayank Patel
 
Hashicorp Vault: Open Source Secrets Management at #OPEN18
Kangaroot
 
Overview of secret management solutions and architecture
Yuechuan (Mike) Chen
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
HashiCorp
 
Global Azure Bootcamp 2017 - Azure Key Vault
Alberto Diaz Martin
 
Steve Jones - Encrypting Data
Red Gate Software
 
ContainerDays NYC 2016: "The Secure Introduction Problem: Getting Secrets Int...
DynamicInfraDays
 
Blockchain on AWS
AWS Riyadh User Group
 
Securing Your MongoDB Deployment
MongoDB
 
Network security with Azure PaaS services by Erwin Staal from 4DotNet at Azur...
DevClub_lv
 
Using Azure Managed Identities for your App Services by Jan de Vries from 4Do...
DevClub_lv
 
Cloud Design Patterns - Hong Kong Codeaholics
Taswar Bhatti
 
Paris FOD meetup - kafka security 101
Abdelkrim Hadjidj
 
Dammit Jim! Dr McCoy’s Field Guide to system_health (and the default trace)
Ed Leighton-Dick
 
Securing AWS Accounts with Hashi Vault
Shrivatsa Upadhye
 
Protecting Your Data with Encryption
Ed Leighton-Dick
 

Similar to Using Vault for your Nodejs Secrets (20)

PDF
Introducing Vault
Ramit Surana
 
PPTX
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
 
PDF
Hiding secrets in Vault
Neven Rakonić
 
PDF
Hashicorp Vault Associate Certification Concepts Part 2
Adnan Rashid
 
PPTX
Secure your Config with Key Vault for Node.JS
Lakshman S
 
PDF
Vault
dawnlua
 
PDF
Vault 101
Hazzim Anaya
 
PDF
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
PPTX
Hashicorp Vault ppt
Shrey Agarwal
 
PPTX
MuleSoft_Meetup_#6_Chandigarh_April_2021
Suresh Rathore
 
PDF
Vault and Security as a Service
Patrick Shields
 
PDF
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer
 
PPTX
Vault w/ config injection kubernetes canada
Jean-Philippe Bélanger
 
PDF
Secrets management vault cncf meetup
Juraj Hantak
 
PDF
Vault 1.0: How to Auto-Unseal and Other New Features
Mitchell Pronschinske
 
PDF
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Mitchell Pronschinske
 
PPTX
Vault Digital Transformation
Stenio Ferreira
 
PDF
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
PDF
Vault Associate Certification Internals
Adnan Rashid
 
PDF
Introduction to vault
Henrik Høegh
 
Introducing Vault
Ramit Surana
 
Hashicorp Chicago HUG - Secure and Automated Workflows in Azure with Vault an...
Stenio Ferreira
 
Hiding secrets in Vault
Neven Rakonić
 
Hashicorp Vault Associate Certification Concepts Part 2
Adnan Rashid
 
Secure your Config with Key Vault for Node.JS
Lakshman S
 
Vault
dawnlua
 
Vault 101
Hazzim Anaya
 
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 
Hashicorp Vault ppt
Shrey Agarwal
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
Suresh Rathore
 
Vault and Security as a Service
Patrick Shields
 
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer
 
Vault w/ config injection kubernetes canada
Jean-Philippe Bélanger
 
Secrets management vault cncf meetup
Juraj Hantak
 
Vault 1.0: How to Auto-Unseal and Other New Features
Mitchell Pronschinske
 
Vault 1.1: Secret Caching with Vault Agent and Other New Features
Mitchell Pronschinske
 
Vault Digital Transformation
Stenio Ferreira
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown
 
Vault Associate Certification Internals
Adnan Rashid
 
Introduction to vault
Henrik Høegh
 
Ad

More from Taswar Bhatti (14)

PPTX
Get productive with python Visual Studio 2019
Taswar Bhatti
 
PPTX
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Taswar Bhatti
 
PPTX
8 cloud design patterns you ought to know - Update Conference 2018
Taswar Bhatti
 
PPTX
Intro elasticsearch taswarbhatti
Taswar Bhatti
 
PPTX
Cloud patterns at Carleton University
Taswar Bhatti
 
PPTX
Cloud Design Patterns
Taswar Bhatti
 
PPTX
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
PPTX
Devteach 2017 Store 2 million of audit a day into elasticsearch
Taswar Bhatti
 
PPTX
An introduction to Microsoft Bot Framework
Taswar Bhatti
 
PPTX
Dev days 1 Introduction to Xamarin Taswar Bhatti
Taswar Bhatti
 
PPTX
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Taswar Bhatti
 
PPTX
Docker for .NET Developers
Taswar Bhatti
 
PPTX
Docker for .NET Developers
Taswar Bhatti
 
PPTX
Akka.Net Ottawa .NET User Group Meetup
Taswar Bhatti
 
Get productive with python Visual Studio 2019
Taswar Bhatti
 
Micrsoft Ignite Toronto - BRK3508 - 8 Cloud Design Patterns you ought to know
Taswar Bhatti
 
8 cloud design patterns you ought to know - Update Conference 2018
Taswar Bhatti
 
Intro elasticsearch taswarbhatti
Taswar Bhatti
 
Cloud patterns at Carleton University
Taswar Bhatti
 
Cloud Design Patterns
Taswar Bhatti
 
Devteach 2017 OAuth and Open id connect demystified
Taswar Bhatti
 
Devteach 2017 Store 2 million of audit a day into elasticsearch
Taswar Bhatti
 
An introduction to Microsoft Bot Framework
Taswar Bhatti
 
Dev days 1 Introduction to Xamarin Taswar Bhatti
Taswar Bhatti
 
Xamarin forms introduction by Taswar Bhatti and Ahmed Assad
Taswar Bhatti
 
Docker for .NET Developers
Taswar Bhatti
 
Docker for .NET Developers
Taswar Bhatti
 
Akka.Net Ottawa .NET User Group Meetup
Taswar Bhatti
 
Ad

Recently uploaded (20)

PPTX
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
PDF
Kit-Works Team Study_20250627_한달만에만든사내서비스키링(양다윗).pdf
Wonjun Hwang
 
PPTX
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PPTX
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
PDF
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
PDF
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
PPTX
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
PDF
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
PDF
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
PPTX
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
PDF
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
PPTX
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
PPTX
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
PPTX
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
PDF
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 
Seamless Tech Experiences Showcasing Cross-Platform App Design.pptx
presentifyai
 
Kit-Works Team Study_20250627_한달만에만든사내서비스키링(양다윗).pdf
Wonjun Hwang
 
New ThousandEyes Product Innovations: Cisco Live June 2025
ThousandEyes
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
Designing_the_Future_AI_Driven_Product_Experiences_Across_Devices.pptx
presentifyai
 
AI Agents in the Cloud: The Rise of Agentic Cloud Architecture
Lilly Gracia
 
Bitcoin for Millennials podcast with Bram, Power Laws of Bitcoin
Stephen Perrenod
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 
Future Tech Innovations 2025 – A TechLists Insight
TechLists
 
Automating Feature Enrichment and Station Creation in Natural Gas Utility Net...
Safe Software
 
Peak of Data & AI Encore AI-Enhanced Workflows for the Real World
Safe Software
 
AI Penetration Testing Essentials: A Cybersecurity Guide for 2025
defencerabbit Team
 
UPDF - AI PDF Editor & Converter Key Features
DealFuel
 
Agentforce World Tour Toronto '25 - MCP with MuleSoft
Alexandra N. Martinez
 
MuleSoft MCP Support (Model Context Protocol) and Use Case Demo
shyamraj55
 
Q2 FY26 Tableau User Group Leader Quarterly Call
lward7
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
Transcript: Book industry state of the nation 2025 - Tech Forum 2025
BookNet Canada
 

Using Vault for your Nodejs Secrets

  • 1. Using vault for your NodeJS Secrets Taswar Bhatti – Solutions Architect Gemalto
  • 3. About me • Taswar Bhatti (Microsoft MVP) • @taswarbhatti • http://taswar.zeytinsoft.com • Gemalto (System Architect)
  • 4. So what are secrets? • Secrets grants you AuthN or AuthZ to a system • Examples • Username & Passwords • Database credentials • API Token • TLS Certs
  • 5. Secret Sprawl • Secrets ends up in • Source Code • Version Control Systems (Github, Gitlab, Bitbucket etc) • Configuration Management (Chef, Puppet, Ansible etc)
  • 6. Issues • How do we know who has access to those secrets • When was the last time they accessed it? • What if we want to change/rotate the secrets
  • 7. Desire secrets • Encryption in rest and transit • Only decrypted in memory • Access control • Rotation & Revocation
  • 8. Secret Management - Vault • Centralized Secret Management • Encrypted at rest and transit • Lease and Renewal • ACL • Audit Trail • Multiple Client Auth Method (Ldap,Github, approle) • Dynamic Secrets • Encryption as a Service
  • 9. Dynamic Secrets • Allows one to lease a secret for a period of time e.g 2 hrs • Generates on demand and unique for each user/consumption • Audit trail
  • 10. Secure Secrets • AES 256 with GCM encryption • TLS 1.2 for clients • No HSM is required
  • 11. Unsealing the Vault • Vault requires encryption keys to encrypt data • Shamir Secret Key Sharing • Master key is split into multiple keys
  • 13. Unseal • Unseal Key 1: QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • Unseal Key 2: 1pxViFucRZDJ+kpXAeefepdmLwU6QpsFZwseOIPqaPAC • Unseal Key 3: bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • Unseal Key 4: o40xl6lcQo8+DgTQ0QJxkw0BgS5n6XHNtWOgBbt7LKYE • Unseal Key 5: Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF • Initial Root Token: 5b781ff4-eee8-d6a1-ea42-88428a7e8815 • Vault initialized with 5 keys and a key threshold of 3. Please • securely distribute the above keys. When the Vault is re-sealed, • restarted, or stopped, you must provide at least 3 of these keys • to unseal it again. • Vault does not store the master key. Without at least 3 keys, • your Vault will remain permanently sealed.
  • 14. How to unseal • vault unseal -address=${VAULT_ADDR} QZdnKsOyGXaWoB2viLBBWLlIpU+tQrQy49D+Mq24/V0B • vault unseal -address=${VAULT_ADDR} bw+yIvxrXR5k8VoLqS5NGW4bjuZym2usm/PvCAaMh8UD • vault unseal -address=${VAULT_ADDR} Gh7WPQ6rWgGTBRSMecuj8PR8IM0vMIFkSZtRNT4dw5MF
  • 15. Writing Secrets • vault write -address=${VAULT_ADDR} secret/hello value=world • vault read -address=${VAULT_ADDR} secret/hello • Key Value • --- ----- • refresh_interval 768h0m0s • Value world
  • 16. Policy on secrets • We can assign application roles to the policy path "secret/web/*" { policy = "read" } • vault policy write -address=${VAULT_ADDR} web-policy ${DIR}/web-policy.hcl
  • 17. Reading secrets based on policy • vault read -address=${VAULT_ADDR} secret/web/web-apps • vault read -address=${VAULT_ADDR} secret/hello • Error reading secret/hello: Error making API request. • URL: GET http://127.0.0.1:8200/v1/secret/hello • Code: 403. Errors: • * permission denied
  • 19. Demo Docker Environment VAR • Issues with env variables
  • 20. Mount Temp File System into App • docker run –v /hostsecerts:/secerts …. • To mitigate reading from Env • Store your wrap token in the filesystem to use with vault • Have limit time on wrap token
  • 21. Wrap Token for App Secrets • Limit time token • Used to unwrap some secrets • vault read -wrap-ttl=60s -address=http://127.0.0.1:8200 secret/weatherapp/config • Key Value • --- ----- • wrapping_token: 35093b2a-60d4-224d-5f16-b802c82de1e7 • wrapping_token_ttl: 1m0s • wrapping_token_creation_time: 2017-09-06 09:29:03.4892595 +0000 UTC • wrapping_token_creation_path: secret/weatherapp/config
  • 22. App Roles • Allows machines or apps to authenticate with Vault • Using a role_id and secret_id as credentials • Assign polices to the app • Once logged in you get back a token to get secrets
  • 24. Kubernetes with Vault • Read Service Account JWT • App Sends Jwt and Role Name to Vault • Vault checks the signature of Jwt • Sends to TokenReviewer API • Vault sends back valid token for app