This document discusses managing distributed configuration and secrets with Spring Cloud and Vault. It introduces Spring Cloud Config for managing external configuration in distributed systems. Sensitive data like passwords are typically stored in application properties, exposing them to risk. Spring Cloud Config and Vault can encrypt these values. Vault is presented as a tool for secret storage and access control. It discusses authentication methods and secret backends. The document demonstrates integrating Spring Cloud and Vault to provide encrypted configuration values and automatically rotating secrets like database credentials.
9. SPRING CLOUD CONFIG
Externalized con guration in a distributed system
HTTP, resource-based API
Supports property le and YAML formats
Encrypt and decrypt property values
https://cloud.spring.io/spring-cloud-con g
8 . 2
12. SPRING CLOUD CONFIG SERVER
JUST ONE ADDITIONAL ANNOTATION
@EnableConfigServer
@SpringBootApplication
public class ConfigServerApplication {
public static void main(String[] args) {
SpringApplication.run(
ConfigServerApplication.class, args);
}
}
8 . 5
13. SPRING CLOUD CONFIG SERVER
CONFIGURATION
spring.cloud.config.server.git.uri=
https://github.com/andifalk/cloud-config-repository
server.port=8888
security.basic.enabled=true
security.user.name=admin
security.user.password=secret
8 . 6
14. SPRING CLOUD CONFIG
ENCRYPTION AND DECRYPTION
https://cloud.spring.io/spring-cloud-static/Dalston.RELEASE/#_security
9 . 1
15. SPRING CLOUD CONFIG SERVER
SYMMETRIC KEY CONFIGURATION
encrypt.key=MyVerySecureEncryptionKey
9 . 2
16. SPRING CLOUD CONFIG SERVER
ASYMMETRIC KEY CONFIGURATION
encrypt.key-store.location=classpath:configserver.jks
encrypt.key-store.alias=configserver
encrypt.key-store.password=secret
encrypt.key-store.secret=secret
9 . 3
17. SPRING CLOUD CONFIG SERVER
ENCRYPTING DATA
$ curl -u admin:secret -d test http://localhost:8888/encrypt
AQAx/RH8tiJj9V43l4dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEo
kE+BfZPm4A3vco3volhWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4
SZ1K/nkto4e6jH+5tktLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5Kfsq
EFbFEUBm2wMyUSFB4/NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaU
xVng+3dTsz9DQ9rhfWFllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76
K2RrP0m9KPesTZMtbUH2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA=
9 . 4
18. SPRING CLOUD CONFIG SERVER
DECRYPTING DATA
$ curl localhost:8888/decrypt -u admin:secret -d AQAx/RH8tiJj9V43l4
dwAxhh0bXGPYa2UjRGOM8s5z2EmCXWRU5DLPzxGptF08nEokE+BfZPm4A3vco3vol
hWdYQcCAFguX+6LOvoxewv5AyfkIt1E0bTc7sa4wSSeBGG4SZ1K/nkto4e6jH+5tk
tLiPpXoABzvy3YsAgXZ6j5zUM320cWEd4QBSoB0mYP5KfsqEFbFEUBm2wMyUSFB4/
NXn5apn8KZ2c2WTAj/jZlrg/jI4Sz094zDzRaM+iZuqHjaUxVng+3dTsz9DQ9rhfW
FllmrtUyoKwgNWLuegV6neDsHGdz7F1bucvJ2CzEZb3tp76K2RrP0m9KPesTZMtbU
H2/g9uUDORh/95P1s+dRt0QznwlXshtnb8Hu3i7GdkmA=
test
9 . 5
19. SPRING CLOUD CONFIG SERVER
ENCRYPTED SENSITIVE PROPERTY VALUES
secretkey={cipher}AQBcFzU3gDVVdj0P2uX/60LzeFqQi8Bo2sCTOiiMSe+w
Yq4f0smM8HES0TKesr8Nms+EqgV5t9Rld7PGALjVUAAfHjAf6WS1yYz3K+
NvXrgu8umjOyRDxfKBh5OH2jvYX+EiKv/JgwDeUg3TXnTnsheh3Mim0dSu
fkojbBlWxO8HsfW5z1qG9tLSlHnWvtcpIGLdRAUwfcKw+/1SViuYxwi/p9
H+J/SOomr4hjjnCuaFITa0zfQc4XTLOrGxW64dhghDvCgu3BxMe0TRaBci
Ugkqka4zgBmzge0kw7r82b84GELmDGpjDp7HRUB+cVHqzZXuQzQB9vCjq1
xI19e6ZQm62DkOxaqtafGxqw+VmyFl1+XYEs1k2lWkiUMVyJyiixI=
9 . 6
33. INITIALIZE VAULT SERVER
$ vault init -key-shares=5 -key-threshold=2
Unseal Key 1: v236b4yJQDnaJ3EmkOhycZTcxTJfMbNeILqxWfRpzGn0
Unseal Key 2: g1tV/d4vp7VVbOu93aHrHZt41xE5YtX7yYBsFMIXGHCf
Unseal Key 3: rAI5FwrVF8XFUD7BOtTer9bL4A39HxHhnXQo85uSyphf
Unseal Key 4: kDSWhVhz8ElKG6Rad51Hw9lv8i6bTHdEdE71vq3sHoE0
Unseal Key 5: 4KUY7CS+UBi5lxlwpCRY+sWXdPFDp68rX2F6bTxT0nHF
Initial Root Token: 68a80410-e315-fc39-d1ad-9864e169a47f
Please securely distribute the above keys. When the vault is
re-sealed, restarted, or stopped, you must provide at least 2
of these keys to unseal it again.
Vault does not store the master key. Without at least 2 keys,
your vault will remain permanently sealed.
10 . 13
35. AUTHENTICATE WITH VAULT SERVER
$ vault auth 68a80410-e315-fc39-d1ad-9864e169a47f
Successfully authenticated! You are now logged in.
token: 68a80410-e315-fc39-d1ad-9864e169a47f
token_duration: 0
token_policies: [root]
10 . 15
36. WRITE AND READ SECRETS
$ vault write secret/mysecret hello=world
Success! Data written to: secret/mysecret
$ vault read secret/mysecret
Key Value
--- -----
refresh_interval 768h0m0s
hello world
10 . 16
46. REFERENCES
All images used are from and are published under
All used logos are trademarks of corresponding companies
Spring Cloud Con g (https://cloud.spring.io/spring-cloud-con g/)
Spring Cloud Con g Security (http://cloud.spring.io/spring-cloud-static/spring-cloud-
con g/1.3.0.RELEASE/#_security)
Shamir's secret sharing algorithm (https://en.wikipedia.org/wiki/Shamir's_Secret_Sharing)
Spring Cloud Vault (https://cloud.spring.io/spring-cloud-vault)
Vault (https://www.vaultproject.io)
Cloud Foundry Vault Service Broker (https://www.hashicorp.com/blog/cloud-foundry-
vault-service-broker)
Cloud Native Key Management — Justin Smith (https://www.youtube.com/watch?
v=MvPIthr4kXA&t=1601s)
Sources and Presentation (https://github.com/andifalk/distributed-secure-con guration)
Pixabay Creative Commons CC0 license.
13