Vaunting Vault!

Lansing DevOps Meetup
September 6th, 2016

Brendon Thiede

    Development Manager at Vertafore

    Focused on Automation

    Supporting CI for WordPress sites

What Secrets are we Keeping?

  • Human accessible
    • WiFi password
    • Test account credentials
  • Application/system accessible
    • Test account credentials
    • Various service credentials (DB, LDAP, etc.)

Where are we Keeping Secrets?

  • KeePass on Dropbox
  • Encrypted databags
  • Text files
  • Hard coded in app code ( ಠ_ಠ )

What are Threats to Secrets?

  • External
    • SFTP server hacked
    • User account compromised
  • Internal
    • Rogue employee

What is Vault?

  • Unified secrets storage/retrieval using REST
  • Protection from external threats
  • Protection from internal threats
  • Auditing

Unified Secrets Solution

  • One place for all the things!

Protection from External Threats

  • Modern encryption
  • Dynamic secrets
  • Encryption as a Service
  • Leasing and renewal

Protection from Internal Threats

  • Shamir's secret sharing
  • "Break glass" procedure
  • Single point revocation
  • ACLs for fine grained control
  • Multiple authentication methods (internal, LDAP, GitHub, etc.)


  • Everything is logged (with sha)
  • Logs can be shipped for analysis

Concepts for Discussion

  • Backends
  • Path structure