Delivering Secret Zero: Vault AppRole with Terraform and Chef
Mar 09, 2018
When thinking about how to securely deliver secrets to our applications, we often run into chicken-and-egg scenarios where, in order to encrypt secrets, we create an unencrypted key to open up that encryption for regular use. Learn how Vault AppRole can help with this secure introduction problem.
Sr. Enterprise Architect, HashiCorp
Whenever a security group chooses to opt for the auto-unseal functionality of Vault instead of the default Shamir's secret sharing approach, you'll encounter the "secret-zero" problem. In order to authenticate safely, you'll need to use an HSM or cloud KMS for auto-unseal, but this means there's now a shared key to those systems stored outside the HSM or the Cloud KMS in a script that starts the auto-unseal process.
In this webinar, Teddy Sacilowski introduces how authentication in Vault works, gives an overview of the AppRole Auth Method, and explains how it integrates with Terraform and Chef. Finally, Teddy gives a demo of how this can be used to mitigate the secret-zero problem and wraps up by answering questions from the audience about Vault.
» Watch to learn:
- How authentication in Vault works
- How Terraform can interact with Vault via its Vault Provider
- How to interact with Vault in Chef recipes
- 0:00 - 0:20 - Vault AppRole
- 0:20 - 0:45 - Demo
- 0:45 - 1:00 - Live Q&A