Protecting plaintext secrets in configuration files
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 490 | |
| Author | ||
| License | CC Attribution 2.0 Belgium: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/47228 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
00:00
Computer fileConfiguration spaceConfiguration spaceComputer fileInformation securityComputer animation
00:33
Standard deviationParameter (computer programming)Standard errorForm (programming)Cartesian coordinate systemSoftwareComputer animation
00:57
ParsingProcess (computing)Letterpress printingIntegerDefault (computer science)Parameter (computer programming)Error messageParsingParameter (computer programming)Computer programmingComputer animation
01:37
Integrated development environmentVariable (mathematics)InformationComputer animation
01:59
DatabaseConfiguration spaceCodeService (economics)Computer fileBuilding
02:26
Data compressionConfiguration spaceReading (process)Configuration spaceCodeComputer animation
03:01
Bus (computing)Maxima and minimaFerry CorstenCartesian coordinate systemSource code
03:20
Point cloudVirtualizationPhysical systemComputer animationProgram flowchart
03:44
Configuration spaceFlow separationProjective planeComputer animation
04:01
Configuration spaceDevice driverPresentation of a groupLatent heatConfiguration spaceIntegrated development environmentReading (process)Different (Kate Ryan album)Link (knot theory)BitSoftwareComputer animation
05:18
Interface (computing)Data managementLibrary (computing)Computer animationLecture/Conference
05:33
Data managementCartesian coordinate systemEncryptionComputer animation
05:56
String (computer science)Glass floatIntegerBoolean algebraElectronic mailing listType theoryAddress spaceIP addressType theoryComputer animation
06:16
Default (computer science)Configuration spaceDirectory serviceComputer virusLocal ringPasswordTexture mappingIntrusion detection systemConfiguration spaceOrder (biology)Multiplication signMultiplicationElectronic mailing listVariable (mathematics)Cartesian coordinate systemDefault (computer science)Integrated development environmentPasswordImplementationSequenceComputer programmingDatabaseParameter (computer programming)Projective planeType theoryFront and back endsGroup actionSheaf (mathematics)Token ringInformationMessage passingData managementMappingSystem callDevice driverEntire functionConnected spaceDevice driverComputer animation
13:02
WindowMobile appDemo (music)Semiconductor memoryComputer animation
13:37
WindowFiber bundleDialectHacker (term)Computer animation
13:56
Integrated development environmentInternetworkingSalem, IllinoisInternetworkingComputer animation
14:13
Fiber bundleAnnulus (mathematics)Bus (computing)Computer animation
14:39
Integrated development environmentServer (computing)Token ringWindowDatabaseConfiguration spacePasswordComputer animation
14:58
WindowEmpennageHash functionMaxima and minimaQuarkConfiguration spaceScripting languageConfiguration spaceCartesian coordinate systemSource codeComputer animation
15:14
PasswordWechselseitige InformationCartesian coordinate system
15:30
Server (computing)Integrated development environmentToken ringConfiguration spaceEmpennageWindowHash functionMaxima and minimaMappingConfiguration spaceCartesian coordinate systemCasting (performing arts)Computer animationSource code
15:47
PasswordModulo (jargon)Local GroupMaxima and minimaFamilyWindowSource codeXMLProgram flowchartComputer animation
16:03
Server (computing)Token ringConfiguration spaceIntegrated development environmentWindowWeb Ontology LanguageInformationGroup actionCompilation albumDatabaseRootSign (mathematics)Identity managementFiber bundleAsynchronous Transfer ModeCellular automatonPressureIdeal (ethics)Computer animationSource code
16:42
Host Identity ProtocolToken ringConfiguration spacePasswordRootRandom numberMaxima and minimaSource codeComputer animation
16:56
WindowProgrammable read-only memoryConfiguration spaceToken ringFile formatConfiguration spaceDatabaseComputer animation
17:39
Validity (statistics)Token ringComputer animation
18:13
PasswordWindowDevice driverLandau theoryFiber bundleRoundingToken ringSource codeComputer animation
18:31
Mountain pass
19:10
FacebookPoint cloudOpen source
Transcript: English(auto-generated)
00:06
So hello, everyone. Welcome to our next talk in security dev room. Next speaker is Mujheesh, and he's talking about plaintext secrets in configuration files. Let's welcome him.
00:22
Thank you. Hi, everybody. I'm here to present my work on protecting plaintext secrets. This work has been driven in the OpenStack project, and it's mostly written in Python, what we have so far. Basically, in our applications or services,
00:41
we handle input, output, and we have many ways to interact with our applications. Basically, standard input, standard output, networking as well. We also have standard error. And then we get other forms of interaction, like arguments. And for Python, we have our parser.
01:01
In this short code, we can see, I can import our parser, I create my parser, and then I declare what will I expect as arguments. And then I can later use them. So I can call, and it automatically will generate me a helper for my program.
01:21
And I can call my program passing the arguments in the command line, and it will behave accordingly. And it will also handle types, for example. And, yeah, that's mostly for arguments.
01:41
Next one, we have environment variables. So Python, we use OS environment, and then you can import OS, and then see your environment variables. But also, we can have some private information there that we wanna keep it secret.
02:00
Another thing, configuration files. So usually when we deploy your building service application, we have the code, and then the code base, it usually doesn't change. And then we have the configuration, which usually changes from deployment to deployment, and we want to keep them in a separate place.
02:21
Usually, we use configuration files for database connection, for example. And in Python, we use config parser, which consumes any files, and you can see you have a session, and then like a key value on each session, and then you can access them
02:42
with the code. If I import config parser, create my parser, and then start parsing the file, I can see the sections, I can get the values of each key, and so on.
03:01
Then we also have signals to interact with. Then we have this bunch of signals. I'm not going to go through all of them. And finally, our application has like an exit code, where we can see if it worked or if it didn't, and then try to find out what happened.
03:21
Then in OpenStack, it's basically, some people call it a cloud operating system. It handles bare metal nodes, virtual machines, containers, and then on top of it, you can deploy basically anything. It's mostly, it stays in the layer
03:41
of infrastructure as a service, and OpenStack is broke, it's separate in lots of projects. This project is Oslo, which is OpenStack common libraries, and Oslo config is the package we use to handle configuration in OpenStack.
04:03
It's not, you don't really to be doing OpenStack stuff to use Oslo config. Most of the OpenStack libraries, they are, you can use them in any piece of software. You don't really need OpenStack for it.
04:21
So Oslo config, it supports configuration files, but also arguments, environment variables, all in one, and this bit more, which are the source drivers that I've been working in the past two years, and these source drivers, it's what allows Oslo config
04:42
to absorb configuration, to read configuration from different sources. So mainly in this talk, we are going to use also config to access secrets behind vault, which is a secret manager, but we have open specifications that you can find links for it in both of the posters
05:04
I attached to the presentation site, and then from the specification, you can create your own drivers and then use also config to draw the values from whatever source you want. So Castellon is another library under the Oslo project,
05:23
and it's a secret manager interface. So it can both talk to Barbican, which is the OpenStack secret manager, but it also talks to HashiCorp Vault, and then in the future, it can be enabled to talk to other secret managers.
05:42
And basically, your application is talking to vault, and then it has all the secrets stored, and then you authenticate to vault, you provide a key ID, and then it finally gives you the key, and then it's all encrypted. Oslo config, it has basic types,
06:01
where you can do type verification, string, boolean, integers, float, list, digs, and it also has some special types for validation, like URI, host name, IP address, host address, and port. And this is a simple, an example
06:21
of an application using Oslo config. So here, I'm importing from Oslo config, and you can see my options. For example, name, default world, the greeting, default hello, the times, default one.
06:41
And in my code, I create my configuration object, I register my options, and I call my object, and then at this moment, it will load all my configuration values. I can register command line options with the register CLI options.
07:02
I can register a single option with a group and the name, and here, if you use a plural, you have more than one option. This is a list, and then this is a single option. Okay, and when I run, it gets you the helper
07:24
from the information you put on it option. You can also change, it will automatically try to build the name of the arguments, but you can also override that. And then, when I call my program,
07:44
it's drawing basically the configuration from the default values, but now I can pass using the argument, and it changes behavior. I can have a configuration file, and then tell my program to use the configuration file,
08:03
and then it will load the data from the configuration file, and it happens if you put multiple sources of information, you will have the configuration file first, and then environment variables, and then argument, and then different sources.
08:21
It's in the documentation of the Oso project. You can check all the, how the fallbacks happen, and the order it acts as. So, if I call, oh, quite fast. If I call my program now, here,
08:41
just using arguments and configuration files, and then, on this example, this is environment variable. The environment variables, it's also a source drive that derived from the first implementation we did in 2017.
09:04
So, basically, you put environment variable with OS underlined as a prefix, OpenStack, and then the group name, greeting, and then underline, underline, and then you can put your option name. So, if I have greeting times
09:20
as a environment variable like that, it will draw the configuration from the environment. So, here I have a basic application, Flask application I made to run in my local machine. So, it has a host and a port it will listen to,
09:43
and then I have some database connection. And then I will try to connect to this database. And when I run my application, it should connect to the database, and then tells me if it was successful to connect or not. These values, they can be put to default.
10:03
So, I can make my configuration file smaller, and then just change them if I need. Of course, you're not going to put username and password as default on your new software. So, I'm calling my application like this,
10:23
passing the configuration file, it's still able to work. So, now I can kill my entire configuration file because I had sensitive information there, and I put them in the environment variables,
10:40
and I'm passing them here to my call. And then these examples, they go from most insecure to more secure. The next one we have, so this is now using the castellan driver to talk to the secret manager.
11:01
So, how it works, I have an option called config source in the default group, and then it defines this section called secrets. You can have more, as you can have a list type in also config, you can have multiple configuration sources, config sources, and then it will try to fetch configuration values
11:24
from them based on the order you declared them. So, I could have like secrets one, secrets two, secrets three, and then when my application runs, it will poke them in that sequence until it gets the value. On the session, you have to define the driver,
11:40
so this driver is castellan, and then you can create your own drivers. The config file for castellan itself, and a mapping file. On the config file for castellan, which is here, I have key manager, the backend vault on the example that I will be showing,
12:02
and you can also have barbican on OpenStack. And then there's a session that should be a session here, but I will be passing those values on the environment variable. And then the mapping file, it tells me, for the group DB username and password, they have these IDs.
12:25
So, when I poke the castellan driver, it will use this mapping file for when I ask it, give me the username of the group DB. It will then use this ID, and then talk to vault, and retrieve the secret which is under this ID.
12:42
So here, I call my application again, pass in my configuration file, and I pass my vault token on the environment. And then my application, it's able to talk to vault, get the credentials for the database, and then run.
13:01
I think this is the last slide, yes. Then here is the demo that I presented at EuroPython last year. I have Docker Compose, which I will run one Flask app in the first one. The second one is a vault server,
13:21
and the third one is a database. So, I will start Docker. Should have done that before, but it was killing my memory. Oh, my, okay.
13:59
So, we have that I'm not connected to the internet.
14:28
It doesn't work until I connect to my phone. And then, oh, I have internet, and then I can,
14:42
so I can connect to the database. And then I'm saying here the username and password I used and basically all the values are coming from the configuration file. Then I have the other examples.
15:00
On this one, on the plain text example, I have only my application configuration file, and this run script will call my application passing the configuration file. When I run it, it is using with this configuration, and I have here another node running
15:21
in a different port, the same application. So, going up another level, this is plain text example. So, now I have a secrets static. So, I have my application configuration file.
15:40
I have a cast alone file and the mapping for the secret. And when I run it, it will crash because vault is not running yet. It's sealed. It's here.
16:00
So, I started my container, my vault container. It is locked, so I have to unseal. And then now I have my token, which I can check it's unsealed. I have my secrets there. And then now, it will not crash. So, when I try to access, it connects to the database,
16:25
but I still have the same secrets there. So, if you have multiple nodes, the ideal is that you have different credentials for each node, because if you have 100 nodes running with the same secrets, if one gets compromised, all of them are compromised.
16:43
So, I have a third example. So, even though the secrets are encrypted and stored in vault, if you have multiple nodes, that's a problem. So, on this one, just see, I also have this example code,
17:02
a simple orchestrator that will talk to vault, get me a temporary token for my node, and then generate temporary credentials for my application, and then will create the configuration files. So, when I run this,
17:20
it talks to vault, creates the credentials for me, and then here I can see that I can connect to the database and I have a different username and a different password, and if I run this again and again, it will always create different credentials for me. If I go to vault and check,
17:42
check my access, lease, database, credentials. So, this is that token, and as this is an example, it's one minute valid token. You should have more running on production, but for this example, I put it just to one minute,
18:03
so we could check 13 seconds, it's still working, and now probably, okay,
18:23
the token expired, so it's no longer listed here, and when I try to connect again to the database, it will fail. So, that's it, thank you. Thank you. Thank you.
18:58
One more applause for the speaker.