Red Hat Summit25.5. Storing a Service Secret in a Vault
This section shows how an administrator can use vaults to securely store a service secret in a centralized location. The service secret is encrypted with the service public key. The service then retrieves the secret using its private key on any machine in the domain. Only the service and the administrator are allowed to access the secret.
This section includes these procedures:
In the procedures:
adminis the administrator who manages the service passwordhttp_passwordis the name of the private user vault created by the administratorpassword.txtis the file containing the service passwordpassword_vaultis the vault created for the serviceHTTP/server.example.comis the service whose password is being archivedservice-public.pemis the service public key used to encrypt the password stored inpassword_vault
25.5.1. Creating a User Vault to Store a Service Password
Create an administrator-owned user vault, and use it to store the service password. The vault type is standard, which ensures the administrator is not required to authenticate when accessing the contents of the vault.
- Log in as the administrator:
kinit admin
$ kinit adminCopy to Clipboard Copied! - Create a standard user vault:
ipa vault-add http_password --type standard
$ ipa vault-add http_password --type standard --------------------------- Added vault "http_password" --------------------------- Vault name: http_password Type: standard Owner users: admin Vault user: adminCopy to Clipboard Copied! - Archive the service password into the vault:
ipa vault-archive http_password --in password.txt
$ ipa vault-archive http_password --in password.txt ---------------------------------------- Archived data into vault "http_password" ----------------------------------------Copy to Clipboard Copied! WarningAfter archiving the password into the vault, deletepassword.txtfrom your system.
25.5.2. Provisioning a Service Password from a User Vault to Service Instances
Using an asymmetric vault created for the service, provision the service password to a service instance.
- Log in as the administrator:
kinit admin
$ kinit adminCopy to Clipboard Copied! - Obtain the public key of the service instance. For example, using the
opensslutility:- Generate the
service-private.pemprivate key.openssl genrsa -out service-private.pem 2048
$ openssl genrsa -out service-private.pem 2048 Generating RSA private key, 2048 bit long modulus .+++ ...........................................+++ e is 65537 (0x10001)Copy to Clipboard Copied! - Generate the
service-public.pempublic key based on the private key.openssl rsa -in service-private.pem -out service-public.pem -pubout
$ openssl rsa -in service-private.pem -out service-public.pem -pubout writing RSA keyCopy to Clipboard Copied!
- Create an asymmetric vault as the service instance vault, and provide the public key:
ipa vault-add password_vault --service HTTP/server.example.com --type asymmetric --public-key-file service-public.pem
$ ipa vault-add password_vault --service HTTP/server.example.com --type asymmetric --public-key-file service-public.pem ---------------------------- Added vault "password_vault" ---------------------------- Vault name: password_vault Type: asymmetric Public key: LS0tLS1C...S0tLS0tCg== Owner users: admin Vault service: HTTP/server.example.com@EXAMPLE.COMCopy to Clipboard Copied! The password archived into the vault will be protected with the key. - Retrieve the service password from the administrator's private vault, and then archive it into the new service vault:
ipa vault-retrieve http_password --out password.txt
$ ipa vault-retrieve http_password --out password.txt ----------------------------------------- Retrieved data from vault "http_password" -----------------------------------------Copy to Clipboard Copied! ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
$ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt ----------------------------------- Archived data into vault "password_vault" -----------------------------------Copy to Clipboard Copied! This encrypts the password with the service instance public key.WarningAfter archiving the password into the vault, deletepassword.txtfrom your system.
Repeat these steps for every service instance that requires the password. Create a new asymmetric vault for each service instance.
25.5.3. Retrieving a Service Password for a Service Instance
A service instance can retrieve the service vault password using the locally-stored service private key.
- Log in as the administrator:
kinit admin
$ kinit adminCopy to Clipboard Copied! - Obtain a Kerberos ticket for the service:
kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytab
# kinit HTTP/server.example.com -k -t /etc/httpd/conf/ipa.keytabCopy to Clipboard Copied! - Retrieve the service vault password:
ipa vault-retrieve password_vault --service HTTP/server.example.com --private-key-file service-private.pem --out password.txt
$ ipa vault-retrieve password_vault --service HTTP/server.example.com --private-key-file service-private.pem --out password.txt ------------------------------------ Retrieved data from vault "password_vault" ------------------------------------Copy to Clipboard Copied!
25.5.4. Changing Service Vault Password
If a service instance is compromised, isolate it by changing the service vault password and then re-provisioning the new password to non-compromised service instances only.
- Archive the new password in the administrator's user vault:
ipa vault-archive http_password --in new_password.txt
$ ipa vault-archive http_password --in new_password.txt ---------------------------------------- Archived data into vault "http_password" ----------------------------------------Copy to Clipboard Copied! This overwrites the current password stored in the vault. - Re-provision the new password to each service instance excluding the compromised instance.
- Retrieve the new password from the administrator's vault:
ipa vault-retrieve http_password --out password.txt
$ ipa vault-retrieve http_password --out password.txt ----------------------------------------- Retrieved data from vault "http_password" -----------------------------------------Copy to Clipboard Copied! - Archive the new password into the service instance vault:
ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt
$ ipa vault-archive password_vault --service HTTP/server.example.com --in password.txt ----------------------------------- Archived data into vault "password_vault" -----------------------------------Copy to Clipboard Copied! WarningAfter archiving the password into the vault, deletepassword.txtfrom your system.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}