36. Vault - Oracle Cloud Infrastructure Foundations - video Dailymotion

Psycho Killer

Watch 36. Vault - Oracle Cloud Infrastructure Foundations - Psycho Killer on Dailymotion

Transcript

00:00in this lesson let's look at what is oci vault service so oci vault is a managed service that

00:11lets you centrally manage encryption keys and secret credential vault removes the need to store

00:18encryption keys and secrets in configuration files or in code so what are these things called keys

00:24and secrets a key specifies how to transform plain text into ciphertext during encryption and how to

00:32transform ciphertext into plain text during decryption secrets are credentials such as

00:39passwords certificates ssh keys or authentication tokens that you can use with oracle cloud

00:46infrastructure services so this particular service lets you manage centrally manage these encryption

00:52keys and credential the idea is you don't have to store that in configuration files or in code

00:57because that can potentially lead to security breaches so that's the central management aspect

01:02of keys and secret credentials now there are two kinds of protection modes for keys one is called

01:08software one is called hardware security modules we have hardware security modules in oci that meets

01:14fips 140-2 security level 3 certification that's a mouthful that's kind of a federal standard

01:22for some of these hsm modules but what's the difference between software and these hsm the master

01:29encryption key protected by an hsm is stored on a hardware security module device and cannot be exported

01:37from the hsm it stays within the hsm all the cryptographic operations involving the key also happen on the

01:44hsm meanwhile a master encryption key protected by software is stored on a server and therefore can be

01:51exported from the server to perform cryptographic operations on the client instead of on the

01:58server so when i say server here basically it means your compute host or the storage host where the

02:04remote storage or the object storage gets stored so that's the big difference between hsm and managing

02:11the keys in hsm versus managing the keys in software now what all different kinds of algorithms

02:17vault supports let's look into them really quickly so the vault service supports aes rsa and ecdsa

02:25algorithms what's the difference aes is a symmetric key algorithm the same key encrypts and decrypts data

02:32rsa is asymmetric encryption so the public key encrypts data and the private key decrypts data ecdsa keys are

02:40used in digital signing but they cannot be used to encrypt or decrypt data so there are various use cases and

02:46various both symmetric as well as asymmetric algorithms supported by this particular service

02:51the keys are integrated with other oci services in the next couple of slides we will look into that

02:57you can rotate your master keys and that way you don't have to do a complete set of encryption again

03:03and one thing which is not listed on this slide here if the service is a regional service and it has a

03:09public api endpoint that you can use now let's look into some of the other basic concepts surrounding

03:16using the keys so in essence the way vault operates is called envelope encryption it's think about this

03:23as a two-tiered hierarchy for keys the actual encryption happens with these keys called data encryption keys

03:29they are used to encrypt customer data and master encryption keys actually encrypt the data keys so you

03:36can see on the picture here there is the the master key that is used to encrypt the data key and so you

03:43see that sort of the middle box where the data key is encrypted by the master key but the actual

03:48encryption for storage let's say it's block storage or object storage or file storage is actually done

03:54using the data key so this kind of tool tiered encryption is called envelope encryption and you can use im

04:02policies to authorize access to master keys so not everybody has access to those keys and you could

04:07also do audit logs to monitor all key related activities so you secure your key vault using those

04:14things like policies and log audit logs so like i said this is the envelope encryption what are the

04:20benefits is easier to manage limits the blast radius and the fact that you are using master keys

04:27it doesn't generate a complete data re-encryption because you could just rotate the master key you

04:32don't have to do the complete data re-encryption here but one thing to keep in mind is you have

04:38to be careful if the master key is deleted then there is no way for anyone to recover the data so

04:44that is why we soft delete the keys with a seven day gap and you should take requisite backups the thing

04:50to keep in mind is vault cannot be deleted immediately you can schedule the deletion by configuring a

04:56waiting period like it says on the slide anywhere from 7 to 30 days the vault and all the keys created

05:03inside the vault are deleted at the end of this waiting period and all the data that was protected

05:08by those keys is no longer accessible after the vault is deleted keep in mind once a vault is deleted it

05:14cannot be recovered so that's why that 7 to 30 day period is there by design now let us look at an

05:20example of how this works with an oci service so here you have a key vault and there is a master key

05:26in here you can write policies to manage who has access to these keys and you could also do audit

05:32logs to see who is using these keys now let's look at encryption process and decryption process in the

05:38context of object storage so let's say you have an object in an object storage bucket you upload some

05:45plain text data there first thing the service does and you want to encrypt it the encryption is

05:50actually on by default you could bring your own keys if you don't do that we actually do the

05:55encryption by default so this is showing how the process actually works so object storage service

06:00calls the vault service and it asks to generate a data key and the vault service returns a data key

06:08as well as it returns the data key encrypted with a master key so that's why you see those two

06:13boxes there and then the object storage takes those keys the data key and it does the encryption

06:20with the plain text data key and then it throws away the data key but in the bucket it keeps the

06:26encrypted object in the bucket and it also keeps the encrypted data key with it right so you will see

06:32why it keeps the encrypted data key when at the time of making a request to decrypt this data the

06:38encrypted data key data and the encrypted data key are stored as you see that in in the bucket so

06:44object storage now makes a request to the vault and it sends the encrypted data key as part of the

06:50request what looks at the encrypted data key it strips out it knows the master key because it is

06:55stored inside the wall so it strips out the other portion and sends the data key back remember this data

07:01key is the one which is used for encryption and decryption now once you have the data key you could actually

07:07decrypt your plain text data with this data key so this is a bit more advanced for a foundational course

07:14but hopefully you get an idea of how the vault works how this envelope encryption also you know the two

07:21tiered encryption works and why it is useful because it limits your blast radius and you don't have to

07:28do encryption again in case you you rotate your keys just to recap vault is a service which you can use

07:35to centrally manage your keys and secret credentials it has lots of advanced features we just look at

07:40a couple of quick examples how envelope encryption works i hope this lesson was useful thanks for

07:46thanks for watching

36. Vault - Oracle Cloud Infrastructure Foundations

Category

Transcript

Be the first to comment

Recommended