4 hours 53 minutes
Well, congratulations. You did it. You completed the course. Give yourself a pat on the back.
Do you? Ah, do the shuffle. Dumas. Karina, do one of those silly tic tac dances of joy. You should be proud of yourself. It was a lot of material that we covered. We learned a lot, and I'm going to go summarize all that information in this video.
We started out with an overview just talking about the general problem Domain. What's a secret? What are the three pillars of vault encryption as a service, Secret storage and dynamic secrets. We even talked about symmetric encryption and a Cem extra encryption.
Then we moved on to talk about core capabilities. What are the problems that having a centralized method of storing your secrets solve? How does it benefit us? We talked about the protective power of short lived credentials that constantly evolving and changing
threat surface and how difficult it's gonna be for your Attackers.
And we went through some use cases of encryption as a service to help the development teams get it right and to limit exposure of keys that your application wants to use to perform encryption and minimize headaches. of having to distribute those keys
when continued on talking about complementary technologies devolved such a sconce? A. We talked about HS EMS. We talked about different configuration management products and cloud provisioning products.
And then, of course, there are alternatives, devolved, kind of competitive. We prefaced whole conversation, talking about the realities of multi cloud and the various business factors that can easily put you in a situation where you are using more than one cloud provider.
Then we talked about cloud provider specific vaults that they have Amazon's key storage. We talked about Azar's key vault of Google's equivalent, and we touched on some of the capabilities that the vault Enterprise version has, because in this course we were only working with the vault open source version.
With that completed, we moved on to talk about secrets storage. We did environment set up. We launched the server and Development Road,
and then we played around with the key Value engine. It's most simple form of storing static secrets, creating, removing, updating and deleting them. We did this both through the command line interface, the web, you I and then we came back and worked with the http and Jason
Elements and and methods of interacting with vault.
We proceeded to talk about the concepts of vault looking at its over our King architecture of the application itself, we looked at the ceiling and unsealing process. We talked about server configuration files and defining ah different back end storage types, Right?
We learned about the different types of plug ins, and then how you manage them. These would be the secrets engines and
when the servers up and running, enabling the different secrets engines. And of course, we also talked about the authentication, back ends and the authentication devices. I should say
he started diving into access management vault policies what their role is, how you define them, the syntax, the capabilities of managing these policy files. We talked about the identities. When we have authentication
occurring through multiple sources there, they're different authentication back ends in the same individual
has multiple ID's in the different back end. So we went with the James Bond example right then, we built on top of that to do groups and provide policies and capabilities to groups to more logically organize all of the policies and the people and
get everybody to do just what they need to do, but not more than they need to do right. The principle of lease privileges.
And finally we talked about the policy templates and some of the power and that to have templates defined in the syntax so that certain parameters and elements could be derived by the authenticated identity in an attributes and metadata around the identity or the groups
that that identity belongs to
once complete, we looped back into talking about secrets storage.
We expanded on the key ball secrets and toe reviewed the ah secret version ING capabilities. We talked about cubbyhole secrets engine, that secret stash place. For each individual token, we reviewed the concept of response wrapping and how that is used. We
then set up the Aperol off method for
authenticating specific applications, using the two criteria when obtaining a token from vault, and we brought it full circle by applying the response wrapping method as a form of secure introduction to provide the secret i d to the APP parole
moving forward. We started putting these dynamic secrets capability in action, and we did that using an AWS account to and we interacted with it and involved would actually create a W s
accounts in the AWS account, right? It was creating the identities. That's the service accounts that could then theoretically be used by our automated provisioning scripts or are easy to instances themselves could operate and perform things. Using these accounts, we created ourselves a mongo DB and we used
vaults database secrets, engine to dynamically generate
different i DS within the database itself. So the authentication was the users were dynamically generated, the passwords for those user dynamically generated, and they had a specified time toe lift. So he continually be rotating the way your applications authenticate and communicate with the database.
Finally, we hit on the third pillar, which was encryption. As a service, we exercised these capabilities cause this encryption as a service was all in the transit secrets engine. We did some basic encrypted decrypt operations. We talked about the key rotations and
how to handle that for when the transit secret engine itself
is using and performing the encryption. So what are the keys that that encryption itself is doing? And how do we deal with the rotation and deal with version ing when we have data? That was encrypted using old versions of the keys, and we will need to get to new versions of the keys We managed the key generation and distribution, leveraging the data keys.
And then we touched on H. Mac and the built in capabilities that vault has
to use H Mac to verify the authenticity and integrity of message of messages that are being sent and transited back and forth.
And that brought us to where we are here. Once again, Thank you for joining through the lesson. I really hope you learned a lot about vault. I hope you learned even Maura about security principles and practical ways to structure your
applications and manage secrets and general considerations. You'll want to keep in mind when building out systems, managing txn systems
and keeping it all secure. So I hope you can take this knowledge, apply it to your day to day, find the right opportunities to use vault. It's not a hammer that everything's going to be a nail right, but it definitely has some sweet spot capabilities, and it's certainly utility that you're gonna wanna put in your arsenal