/vault-demo

Primary LanguageHCLMozilla Public License 2.0MPL-2.0

Vault demonstration

This repository is dedicated to the talk: Be secret like a ninja with Vault Hashicorp.

Disclaimer: The repository is here for demonstration purpose. Meaning: No best practice and a lot of review.

For the demonstration, we will based on a basic website using the following LAMP stack:

  • APACHE
  • MYSQL
  • PHP

You can learn more with the related blog post

Steps ? Which steps ?

Based on website in step0, which is our starting point website, we will integrate the Vault step by step.

Step 0: Find secrets

Our starting point website.

We will find secrets inside the code.

See more on the REAME.md.

Related blog post: MIGRATE YOUR SECRETS APPLICATION - PART1

Step 1: Static Secrets

In this step, we add a entrypoint dealing with Vault (Authentication + retrieve secrets) inside the application without changing the code.

See more on the REAME.md.

Related blog post: MIGRATE YOUR SECRETS APPLICATION - PART1

Step 2: Dynamic Secrets

In this step, we remove the entrypoint in the previous step and changing the applications code.

The goal is to use, at each time, a new database user (username+password) access.

See more on the REAME.md.

Related blog post: MIGRATE YOUR SECRETS APPLICATION - PART2

Step 3: Encryption as a Service

In this step, based on the previous step, we will add encryption and decryption process.

The goal is to encrypt the data into the database.

See more on the REAME.md.

Related blog post: ENCRYPTION AS A SERVICE

Step 4 (bonus): Vault agent & Consul Env

In this step, based on the previous step, we will use Vault agent to authentication with Vault server and Consul Env to populate secrets into environment variables.

The goal is to interact with the Vault transparently for an application (no app change).

See more on the REAME.md.

Related blog post: VAULT AGENT

Step 4b (bonus): Vault agent only

In this step, based on the step 3, we will use Vault agent to authentication with Vault server and to render template file with secrets. It's an alternative to the step 4. The step 4 is a way to implement secret through environment variables and step 4b is a way to implement secret through a file.

The goal is to interact with the Vault transparently for an application (no app change).

See more on the REAME.md.

Related blog post: VAULT AGENT

Contact

You see something wrong ? You want extra information or more ?

Contact me: 3exr269ch@mozmail.com