Hello, everyone, I'm Jackpop!
During this period of time, the most popular and topical things must be the Russian-Ukrainian war.
I saw an interesting news not long ago that the Automatic Control System (ACS) "Dnipro" of the Ukrainian Armed Forces used "admin" and "123456" as the server account password.
How could the automatic control system of the Armed Forces Department use such a simple password?
According to well-known website research, the number of users of the password "123456" has already topped the list.
There is naturally a lack of security awareness behind this. However, in today's Internet world, any website needs to register a new account password. If some complex account passwords are set, it will naturally bring a lot of burden to memory.
So, how to store the key data?
Before we get into the actual storage, let's briefly discuss what keys are and why we might need to manage them.
For a variety of reasons, most applications today are hosted on a cloud-based architecture. Whether on-premises or in the cloud, you may need to store your keys in a secure environment.
What is a secret key?
A key is a digital data that includes but is not limited to the following:
-
user password
-
system password
-
database password
-
API key
-
ssh key
-
OTPs
-
encryption keys etc...
Managing these keys is the responsibility of Information Security/DevOps in the organization. They ensure that there is no unauthorized access to the data.
Install Vault
What is Vault?
Vault is an identity-based secret and encryption management system that provides encryption services controlled by authentication and authorization methods.
Using Vault's user interface, CLI, or HTTP API, access to secrets and other sensitive data can be securely stored and managed, tightly controlled (restricted), and auditable.
First, let's install Vault on our local system:
macOS
On macOS, we can use brew to install.
First, install the HashiCorp tap:
$brew tap hashicorp/tap
Install Vault:
$brew upgrade hashicorp/tap/vault
Windows
On Windows, we can use Chocolatey to install:
$choco install vault
Ubuntu
$curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -
Add the official HashiCorp Linux repository:
$ sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"
Update and install:
$ sudo apt-get update && sudo apt-get install vault
Start the Vault service:
Once the installation is complete, verify the installation with the following command:
$ vault status
output:
dineshkumarkb@dineshkumarkb% vault status
Key Value
--- -----
Seal Type shamir
Initialized true
Sealed false
Total Shares 1
Threshold 1
Version 1.9.0
Storage Type inmem
Cluster Name vault-cluster-5bfc48b1
Cluster ID 4f365a2d-2b5c-37ae-4ba3-c8b76a3e56a5
HA Enabled false
Start the service:
vault server -dev
output:
==> Vault server configuration:
Api Address: http://127.0.0.1:8200
Cgo: disabled
Cluster Address: https://127.0.0.1:8201
Go Version: go1.17.2
Listener 1: tcp (addr: "127.0.0.1:8200", cluster address: "127.0.0.1:8201", max_request_duration: "1m30s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: false, enabled: false
Recovery Mode: false
Storage: inmem
Version: Vault v1.9.0
==> Vault server started! Log data will stream in below:
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ export VAULT_ADDR='http://127.0.0.1:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: WO3EV3INnT7cAPozmQB2S0DotmLg8eMa7q+CBRbrtUE=
Root Token: s.PrJcwT6kkUfG3kJdfhenoN9a
Development mode should NOT be used in production installations!
The Dev server is a built-in, pre-configured server that is not very secure, but is useful for playing Vault locally.
The server displays the unseal key and the root token, which changes every time you start the server. So make sure to add that token to the environment variable every time you restart the server.
The Dev server stores all its data in memory, listens on localhost without TLS, and automatically unseals and shows you the unseal key and root access key.
Add server details to PATH
$ export VAULT_ADDR='http://127.0.0.1:8200'
$ export VAULT_TOKEN="s.PrJcwT6kkUfG3kJdfhenoN9a"
When running Vault in development mode, the Key/Value v2 secret engine is enabled at secret/path.
The Key/Value Secret Engine is a general-purpose key-value store for storing arbitrary secrets in physical storage configured for Vault.
Secrets written to Vault are encrypted and then written to backend storage.
So the backend storage mechanism will never see the unencrypted value and there is no need to decrypt it without Vault.
Access Vault
Vault provides multiple mechanisms such as UI, Cli and API to store/get secrets, which can be stored/retrieved using various secret engines.
However, the Vault server always uses the Key/Value engine in development mode.
The Key/Value Secret Engine is a general-purpose key-value store for storing arbitrary secrets in physical storage configured for Vault. Secrets written to Vault are encrypted and then written to backend storage.
To access the user interface, open in your browser https://127.0.0.1:8200:
Servers in development mode will store secrets in secret/.
Writing KV keys in Python
Now that our Vault development server is up and running, let's try storing keys using Python.
Note that the development server stores all keys in memory, and when the server session ends, all keys are deleted.
HVAC is the vault API client that we will use to interact with the Vault server, so it needs to be installed.
Install HVAC
$ pip install hvac
Links to HVAC Customers
import hvac
def init_server():
client = hvac.Client(url='http://localhost:8200')
print(f" Is client authenticated: {client.is_authenticated()}")
init_server()
Output:
Is client authenticated: True
def write_secret():
create_response = client.secrets.kv.v2.create_or_update_secret(path='hello', secret=dict(foo="bar"))
print(create_response)
write_secret()
output:
{
"request_id":"f2e29013-09f9-efd7-f51e-825c4a6d8f75",
"lease_id":"",
"renewable":false,
"lease_duration":0,
"data":{
"created_time":"2021-12-02T07:34:58.187639Z",
"custom_metadata":"None",
"deletion_time":"",
"destroyed":false,
"version":1
},
"wrap_info":"None",
"warnings":"None",
"auth":"None"
}
You can verify these keys from the UI/CLI. The key we just wrote is stored in secrets/hello.
read key
def read_secret():
read_response = client.secrets.kv.v2.read_secret_version(path='hello')
print(read_response)
read_secret()
output:
{
"request_id":"9c2fb05c-f78a-837a-a6d0-6b7a59b4d45d",
"lease_id":"",
"renewable":false,
"lease_duration":0,
"data":{
"data":{
"foo":"bar"
},
"metadata":{
"created_time":"2021-12-02T07:34:58.187639Z",
"custom_metadata":"None",
"deletion_time":"",
"destroyed":false,
"version":1
}
},
"wrap_info":"None",
"warnings":"None",
"auth":"None"
}
The read response contains all the keys stored in hello in the data object, as well as the metadata for the keys.
Vault's capabilities are not limited to KV engines, they also support multi-cloud platforms such as GCP, Azure and AWS's dedicated engines and APIs.
If you are interested, you can learn more about it!
Finally, I would like to recommend a very good platform for you to practice algorithms and programming skills, covering different fields and directions such as Java, algorithms, Python, SQL, etc. The question bank is rich and completely free:
https://www.nowcoder.com/exam/oj?tab=%E7%AE%97%E6%B3%95%E7%AF%87&topicId=295&fromPut=pc_zh_liudong0110_suanfa