cloudsoft.io

Obscuring external supplier configuration

Please make sure you went through all bullets in Security Guidelines

More about Externalized Configuration.

Introduction

Since AMP 4.5 new vault external config supplier is added io.cloudsoft.amp.crypto.vault.VaultEncryptedUserPassExternalConfigSupplier.

Like other vault external config suppliers you have to specify its vault credentials in brooklyn.cfg. VaultEncryptedUserPassExternalConfigSupplier supports using an encrypted username and password. In order for AMP to decrypt the credientials, encryption keys should be provided as environment variables prior to launch.

In case an attacker is logged in to the machine as the AMP user you might want to obscure brooklyn.cfg content. Using VaultEncryptedUserPassExternalConfigSupplier tends to slow down an intruder rather than giving strong security.

Encrypting vault credentials in brooklyn.cfg

Ensure vault is running and it has userpass auth enabled.

To enable this, see the sections below Setting up user password authentication in Vault and VaultUserPassExternalConfigSupplier

Encrypt username and password

To produce an encrypted vault username and password use an encryption tool like openssl. Once produced, the encrypted username and password should be supplied to AMP in base64 format.

Here are the environment variables which will be used by the external supplier to decrypt vault username and password.

  • VAULT_SECRET_KEY - required, Base64 format. Supplies the secret encryption key. It is strongly recommended to use a strong key with numbers, special characters, small and big letters
  • VAULT_INIT_VECTOR - required, Base64 format. Supplies the secret encryption key.
  • VAULT_SECRET_KEY_ALG - optional. Supplies Secret Key Algorithm. Choose most secure available for your JRE. By default it is AES.
  • VAULT_TRANSFORMATION - optional. Supplies Secret Algorithm Transformation. Choose most secure available for your JRE. By default it is AES/CBC/PKCS5Padding.

For tar.gz distribution they should be set before using bin/start.
Example 'VAULT_SECRET_KEY=Base64Base64Base64Base==' VAULT_INIT_VECTOR=Base64Base64Base64Base==' bin/start.

For rpm distribution persist external supplier encryption keys in variables (VAULT_SECRET_KEY, VAULT_INIT_VECTOR, VAULT_SECRET_KEY_ALG, VAULT_TRANSFORMATION) in /lib/systemd/system/amp.service. After that, reload the config using the reload command for your OS. For CentOS 7, this would be:

sudo systemctl daemon-reload

Setting up user password authentication in Vault

Please consult with https://www.vaultproject.io/docs/auth/userpass.html

Example:

$ vault auth-enable userpass
Successfully enabled 'userpass' at 'userpass'!
$ vault policy-write secret policy.hcl
Policy 'secret' written.
$ vault write auth/userpass/users/admin password=password policies=secret
Success! Data written to: auth/userpass/users/admin
$ # Test whether authentication works
$ vault auth -method=userpass username=admin password=password
Successfully authenticated! You are now logged in.

Then you can write the data to path admin will and you are ready to go.