Runtime Protection for Vault (and Consul)
Mar 07, 2019
HUG community member Yan Michalevsky, the co-founder and CTO of Anjuna, gave this talk on securing application perimeters by putting the application into a Secure Enclave and using HashiCorp Vault.
This session explores a runtime security solution based on Secure Enclaves, such as Intel Software Guard Extensions (SGX). While there is tremendous promise in Intel SGX, adoption so far has been limited to very specific products where development teams were able to put in significant engineering effort to secure small (and sensitive) parts of their applications. Moreover, the lack of straightforward interoperability with modern high-level languages like Go further limits the usability of Secure Enclaves.
In this talk, Yan demonstrates a way to secure HashiCorp Vault from attackers that have complete control of the host server, by loading the application into a Secure Enclave. The user experience remains unhindered since all APIs and interaction with the Vault server remain as they were. Lastly, the talk will explain how to establish trust between the protected Vault instance and remote Vault clients using an attestation mechanism that is elegantly integrated into HTTPS.
This talk was part of the first HashiTalks online event—A 24-hour continuous series of presentations from the worldwide HashiCorp User Group (HUG) community and from HashiCorp engineers as well. The event took place from February 21-22, 2019.
Check out your local chapter or start a new one here.