1 00:00:02,440 --> 00:00:05,559 ‫I use Docker secrets for my passwords, but this 2 00:00:05,560 --> 00:00:08,380 ‫just creates a RAM file in the container. 3 00:00:08,800 --> 00:00:10,779 ‫If someone hacked into the container, they could see the 4 00:00:10,780 --> 00:00:12,519 ‫file just like my application does. 5 00:00:14,900 --> 00:00:15,900 ‫Yes and no. 6 00:00:16,510 --> 00:00:18,769 ‫Great. We'll keep talking. Is there any better way to do 7 00:00:18,770 --> 00:00:21,170 ‫this? Encrypt the content of the secret? 8 00:00:23,100 --> 00:00:25,419 ‫Then decrypt inside the application in a way a hacker 9 00:00:25,420 --> 00:00:26,420 ‫couldn't figure out. 10 00:00:27,190 --> 00:00:28,190 ‫The reality here is 11 00:00:30,190 --> 00:00:33,070 ‫that your application has to have its secret somewhere, 12 00:00:33,210 --> 00:00:35,635 ‫and they're going to be unencrypted in memory, right. 13 00:00:36,730 --> 00:00:39,004 ‫Everything I know that is decrypting encrypted stuff, it's 14 00:00:39,850 --> 00:00:42,470 ‫decrypting it into memory. If a 15 00:00:43,170 --> 00:00:45,081 ‫hacker has root in your container, then 16 00:00:46,270 --> 00:00:48,009 ‫it's going to be able to get that stuff. 17 00:00:48,100 --> 00:00:49,980 ‫If they're savvy enough,they're going to be able to get 18 00:00:49,981 --> 00:00:50,981 ‫that stuff, right. 19 00:00:51,540 --> 00:00:54,137 ‫The first step there is don't run your application as 20 00:00:54,700 --> 00:00:56,010 ‫root in the container. 21 00:00:56,530 --> 00:00:59,176 ‫Then, they can't muck around with anything outside the 22 00:00:59,560 --> 00:01:02,319 ‫application. They can't run other system utilities in the 23 00:01:02,320 --> 00:01:04,859 ‫container that might be able to read all the memory, right. 24 00:01:05,950 --> 00:01:07,616 ‫The second thing is there is really, the 25 00:01:10,500 --> 00:01:12,839 ‫most secure way that I think we've seen is something like 26 00:01:12,840 --> 00:01:14,947 ‫vault and one time passwords where they get 27 00:01:15,870 --> 00:01:17,759 ‫created, they're used by your app, and then they're thrown 28 00:01:17,760 --> 00:01:20,219 ‫away and no longer good. The reality is most people aren't 29 00:01:20,220 --> 00:01:22,349 ‫ready for that. Most people's apps can't handle that. 30 00:01:22,800 --> 00:01:25,319 ‫You know, you can't rotate a Twitter API key 31 00:01:25,980 --> 00:01:27,656 ‫every five minutes for every app that launches, right. 32 00:01:28,320 --> 00:01:31,080 ‫Stuff like this. The next best thing 33 00:01:31,710 --> 00:01:35,129 ‫is preventing that file from ever being permanently 34 00:01:35,130 --> 00:01:36,130 ‫on disk. 35 00:01:36,780 --> 00:01:38,124 ‫A Kubernetes security and 36 00:01:39,750 --> 00:01:42,840 ‫Docker security, those...sorry secrets, 37 00:01:43,260 --> 00:01:45,808 ‫Kubernetes secrets and Swarm secrets are some of the 38 00:01:46,260 --> 00:01:48,514 ‫best ways I've ever seen to come up with a way 39 00:01:49,620 --> 00:01:51,384 ‫to store passwords on a fake file in 40 00:01:52,590 --> 00:01:55,040 ‫RAM. You can set those permissions so that they're 41 00:01:55,620 --> 00:01:56,855 ‫only readable by your app, right. 42 00:01:58,860 --> 00:02:01,519 ‫So, if someone gets in somehow with a different user, not 43 00:02:01,530 --> 00:02:03,089 ‫that you'd have a different user necessarily in the 44 00:02:03,090 --> 00:02:06,089 ‫container, but you can lock those those down 45 00:02:06,090 --> 00:02:08,489 ‫so that they're read only, that they're only readable by 46 00:02:08,490 --> 00:02:10,142 ‫the user that's your app. That's the kind of stuff, right. 47 00:02:10,889 --> 00:02:12,229 ‫So, that is really it. 48 00:02:12,270 --> 00:02:14,879 ‫The only thing that I've seen better still stores them in 49 00:02:14,880 --> 00:02:16,439 ‫memory, still stores them unencrypted. 50 00:02:16,470 --> 00:02:18,080 ‫It just doesn't store them locally. 51 00:02:18,090 --> 00:02:20,370 ‫So, you have to use a remote API like Vault, 52 00:02:21,330 --> 00:02:24,345 ‫HashiCorp's Vault or some other system that delivers one 53 00:02:24,415 --> 00:02:26,999 ‫time passwords. But again, those things would have to be 54 00:02:27,000 --> 00:02:29,369 ‫built across your whole system. You'd have to design the 55 00:02:29,370 --> 00:02:30,986 ‫whole thing. And that's a lot of work, right. 56 00:02:32,190 --> 00:02:35,189 ‫Whereas, using the secrets in Kubernetes and 57 00:02:35,190 --> 00:02:38,129 ‫Swarm, you can typically get that stuff done in the same 58 00:02:38,130 --> 00:02:40,979 ‫day, right. You can implement that for just about any app, 59 00:02:41,310 --> 00:02:44,280 ‫even if it has to set them as environment variables because 60 00:02:44,430 --> 00:02:46,860 ‫older applications require things in environment variables. 61 00:02:47,520 --> 00:02:50,069 ‫So, you can have them in secrets and then have, at runtime, 62 00:02:50,070 --> 00:02:52,109 ‫have those secrets dumped into environment variables if you 63 00:02:52,110 --> 00:02:54,953 ‫have to. But, I'd say 99% of the time, my consulting 64 00:02:57,600 --> 00:03:00,879 ‫clients, they're dealing with legacy applications. 65 00:03:01,030 --> 00:03:03,369 ‫When I say legacy, I really mean everything before 66 00:03:03,370 --> 00:03:05,589 ‫containers, which is most applications, right. 67 00:03:05,590 --> 00:03:08,040 ‫We've spent 30 years creating applications without 68 00:03:08,620 --> 00:03:10,509 ‫containers before we had them. 69 00:03:10,540 --> 00:03:13,479 ‫So, we have a lot of regular stuff. 70 00:03:13,510 --> 00:03:16,156 ‫So, most teams are just looking how to get things into 71 00:03:16,660 --> 00:03:19,068 ‫containers and store them encrypted on disk, right. 72 00:03:20,110 --> 00:03:21,490 ‫If they're on disk, they're encrypted. 73 00:03:22,150 --> 00:03:23,470 ‫Kubernetes and Swarm can both do that. 74 00:03:23,920 --> 00:03:26,919 ‫I think if you're using secrets, you're already better 75 00:03:26,920 --> 00:03:30,159 ‫than 99% of the people I see, because very few people 76 00:03:30,160 --> 00:03:32,830 ‫are using orchestration and also using secrets. 77 00:03:32,860 --> 00:03:34,840 ‫It's a very, very small group, bunch of people. 78 00:03:36,340 --> 00:03:37,620 ‫So, yeah, I think you're pretty good there.