SlideShare uma empresa Scribd logo

Building an Ethereum Wallet using Hashicorp Vault

Transferir como PPTX, PDF
Jeff Ploughman
Jeff Ploughman

Presentation delivered to the DC-Baltimore Hashicorp User Group. DIscussed the mechanics and motivations for building an Ethereum Wallet on top of Hashicorp Vault.

Tecnologia
1 de 36
BRINGING ETHEREUM TO THE ENTERPRISE BUILDING A HASHICORP VAULT PLUGIN FOR ETHEREUM jeff ploughman jeff@immutability.io
+
MOTIVATION learn through experimentation
MOTIVATION learn through experimentation build better tools
MOTIVATION learn through experimentation build better tools bridge ecosystems to enable innovation
MOTIVATION learn through experimentation build better tools bridge ecosystems to enable innovation solve a specific use case
what is ethereum? • ethereum is a network and a computer • ethereum has a blockchain • ethereum has a built-in cryptocurrency: ether (ETH) • ethereum uses proof-of-work • ethereum is public, permissionless, and serverless • ethereum is decentralized ETHEREUM OVERVIEW
ETHEREUM CONCEPTS accounts smart contracts gas and gas price clients/nodes transactions miners
ETHEREUM QUESTIONS?
VAULT OVERVIEW
VAULT AUTHENTICATION
VAULT PLUGINS
THE USE CASE
THE USE CASE
VAULT ETHEREUM PLUGIN
VAULT QUESTIONS?
DEMO TIME
PREREQUISITES
INSTALL HASHICORP VAULT AND ETHEREUM PLUGIN
ADD MFA $ export VAULT_TOKEN=$(keybase decrypt -i $KEYBASE_USER"_VAULT_TOKEN.txt") $ vault policy-write ethereum_root ethereum_root.hcl $ vault auth-enable github $ vault write auth/github/config organization=$GITHUB_ORG max_ttl="1h" ttl="1h” $ vault write auth/github/map/users/$GITHUB_USER value=ethereum_root $ vault write auth/github/mfa_config type=duo $ vault write auth/github/duo/access host=$DUO_API_HOSTNAME ikey=$DUO_INTEGRATION_KEY skey=$DUO_SECRET_KEY $ vault write auth/github/duo/config user_agent="" username_format="%s-ethereum” $ unset VAULT_TOKEN
ENROLL DEVICE $ export VAULT_AUTH_GITHUB_TOKEN=… $ vault auth -method=github Error making API request. URL: PUT https://localhost:8200/v1/auth/github/login Code: 400. Errors: * Enroll an authentication device to proceed (https://api-79cd4b94.duosecurity.com/portal?code=b3a236d5305b281d&akey=DAD7U2QRME0F43UFPT20) $ vault auth -method=github Successfully authenticated! You are now logged in. The token below is already saved in the session. You do not need to "vault auth" again with the token. token: 48b49ccf-f6d3-de60-0a53-3f583fcd823c token_duration: 3599 token_policies: [default ethereum_root]
AUTHENTICATE
INSTALL ETHEREUM
$ RPC_PORT=8546 ETHERBASE=$(vault write -format=json ethereum/accounts/etherbase chain_id=1977 generate_passphrase=true | jq .data.account | tr -d '"') ./runminer.sh etherbase Destroying old container ethereum-etherbase... ethereum-etherbase ethereum-etherbase Starting ethereum-etherbase 4174b66b3001adb12307958d54def6b493077eab0eb48f4b8018e966a82c083f MINE INTO ACCOUNT
$ vault read ethereum/accounts/etherbase Key Value --- ----- address 0xa2d0566A6DCb1Eb7687F40E373ed7d53af44dD05 chain_id 1977 pending_balance 95000000000000000000 pending_nonce 0 pending_tx_count 0 rpc_url http://localhost:8545 GET ACCOUNT BALANCE
IMPORT EOA $ read -s PASSPHRASE; vault write ethereum/import/oldwallet path=/Users/immutability/.ethereum/keystore/UTC--2017-12-01T23-13-37.315592353Z-- a152e7a09267bcff6c33388caab403b76b889939 passphrase=$PASSPHRASE; unset PASSPHRASE Key Value --- ----- path /Users/immutability/.ethereum/keystore/UTC--2017-12-01T23-13-37.315592353Z-- a152e7a09267bcff6c33388caab403b76b889939
EXPORT EOA $ vault write ethereum/accounts/etherbase/export directory=. Key Value --- ----- path /Users/immutability/.ethereum/keystore/UTC--2017-12-01T23-13-37.315592353Z-- a152e7a09267bcff6c33388caab403b76b88993 $ vault read ethereum/accounts/etherbase/passphrase Key Value --- ----- passphrase chute-nylon-yanking-overtly-ipod-sheath-register-ounce
SEND ETH $ vault write ethereum/accounts/oldwallet/debit to=0x0374E76DA2f0bE85a9FdC6763864c1087e6Ed28b value=10000000000000000000 Key Value --- ----- tx_hash 0xe99f3de1dfbae82121a009b9d3a2a60174f2904721ec114a8fc5454a96e62ba8
BUILD CONTRACT $ dapp build + dapp clean + rm -rf out + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --abi --bin --bin-runtime = -o out/ src/Helloworld.sol + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --combined-json=abi,bin,bin- runtime,srcmap,srcmap-runtime,ast = src/Helloworld.sol + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --abi --bin --bin-runtime = -o out/ src/Helloworld.t.sol + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --combined-json=abi,bin,bin- runtime,srcmap,srcmap-runtime,ast = src/Helloworld.t.sol dapphub tools
DEPLOY CONTRACT $ vault write ethereum/accounts/oldwallet/contracts/helloworld transaction_data=@Helloworld.bin value=10000000000000000000 gas_price=21000000000 gas_limit=1500000 Key Value --- ----- account_address 0x206d4B8aB00F1D3FdD3683A318776942f82A7F28 pending_balance 200779500000000000000 pending_nonce 7 pending_tx_count 0 tx_hash 0x206ba52b1edd32510e6ab607bbfbba70369595210d22885b3067868a376e9677
CONTRACT ADDRESS $ vault read ethereum/accounts/oldwallet/contracts/helloworld Key Value --- ----- contract_address 0x9dC730499BbAe80F4241a2523C516919C69339Af tx_hash 0x206ba52b1edd32510e6ab607bbfbba70369595210d22885b3067868a376e9677
WARM/COLD STORAGE # Kill Vault and copy to removeable media $ kill -2 $(ps aux | grep '/usr/local/bin/vault server' | awk '{print $2}') $ mv -f $HOME/etc $WARM_STORAGE/etc $ mv "$KEYBASE_USER"_* $WARM_STORAGE # Restore from removeable media $ mv -f $WARM_STORAGE/etc $HOME/etc $ nohup /usr/local/bin/vault server -config $HOME/etc/vault.d/vault.hcl &> /dev/null & $ mv $WARM_STORAGE/"$KEYBASE_USER"_* . $ vault unseal $(keybase decrypt -i $KEYBASE_USER"_UNSEAL_1.txt") $ vault unseal $(keybase decrypt -i $KEYBASE_USER"_UNSEAL_2.txt") $ vault unseal $(keybase decrypt -i $KEYBASE_USER"_UNSEAL_3.txt")
WHAT’S NEXT? container orchestration concourse pipeline oracle reference implementation smart contract test harness vault plugins for other cryptocurrencies? vault plugins for exchanges?
THANK YOU! i hope this talk proved interesting and useful. more so, i hope that it inspires you to build oss tools for the ethereum ecosystem and participate in the oss community. please feel free to connect with me via linked in: https://www.linkedin.com/in/immutability/
IMMUTABILITY'S DOCKER HUB HASHICORP VAULT ETHEREUM'S GO CLIENT IMMUTABILITY'S GITHUB DC-BALTIMORE HASHICORP USER GROUP
AND REMEMBER… don’t lose your wallet

Recomendados

Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 

Recomendados

Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault
Neil Saunders (Beamly) - Securing your AWS Infrastructure with Hashicorp Vault Outlyer
 
Vault - Secret and Key Management
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key ManagementAnthony Ikeda
 
OAuth
OAuthOAuth
OAuthIván Fernández Perea
 
Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Stateless authentication with OAuth 2 and JWT - JavaZone 2015
Stateless authentication with OAuth 2 and JWT - JavaZone 2015Alvaro Sanchez-Mariscal
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Federation & Access Management
Federation & Access ManagementFederation & Access Management
Federation & Access ManagementAmazon Web Services
 
Secret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultSecret Management with Hashicorp’s Vault
Secret Management with Hashicorp’s VaultAWS Germany
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
 
Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with VaultMitchell Pronschinske
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~Hitachi, Ltd. OSS Solution Center.
 
Introduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloIntroduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloSSIMeetup
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Yurika Kakiuchi
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API SecurityAmila Paranawithana
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
Vault 101
Vault 101Vault 101
Vault 101Hazzim Anaya
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep DiveTorin Sandall
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティHiroshi Hayakawa
 
KeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについてKeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについてHiroyuki Wada
 
FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門Yahoo!デベロッパーネットワーク
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証についてHitachi, Ltd. OSS Solution Center.
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
Keycloakの動向
Keycloakの動向Keycloakの動向
Keycloakの動向Yuichi Nakamura
 
SSIとDIDで何を解決したいのか?(β版)
SSIとDIDで何を解決したいのか?(β版)SSIとDIDで何を解決したいのか?(β版)
SSIとDIDで何を解決したいのか?(β版)Naohiro Fujie
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用Masaru Kurahayashi
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
OpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンスOpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンスOpenID Foundation Japan
 
Build your own private blockchain based on ethereum
Build your own private blockchain based on ethereumBuild your own private blockchain based on ethereum
Build your own private blockchain based on ethereumMehran Pourvahab
 
Introduction_to_Blockchain_&_Ethereum.pptx
Introduction_to_Blockchain_&_Ethereum.pptxIntroduction_to_Blockchain_&_Ethereum.pptx
Introduction_to_Blockchain_&_Ethereum.pptxWijdenBenothmen1
 

Mais conteúdo relacionado

Mais procurados

Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with VaultMitchell Pronschinske
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~Hitachi, Ltd. OSS Solution Center.
 
Introduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloIntroduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloSSIMeetup
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp VaultMayank Patel
 
Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Yurika Kakiuchi
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedPriti Desai
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティHiroshi Hayakawa
 
KeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについてKeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについてHiroyuki Wada
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesMarco Morana
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveNordic APIs
 
SSIとDIDで何を解決したいのか?(β版)
SSIとDIDで何を解決したいのか?(β版)SSIとDIDで何を解決したいのか?(β版)
SSIとDIDで何を解決したいのか?(β版)Naohiro Fujie
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用Masaru Kurahayashi
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
OpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンスOpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンスOpenID Foundation Japan
 

Mais procurados (20)

Best practices for Terraform with Vault
Best practices for Terraform with VaultBest practices for Terraform with Vault
Best practices for Terraform with Vault
 
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
最近のKeycloakのご紹介 ~クライアントポリシーとFAPI~
 
Introduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus SabadelloIntroduction to DID Auth for SSI with Markus Sabadello
Introduction to DID Auth for SSI with Markus Sabadello
 
Credential store using HashiCorp Vault
Credential store using HashiCorp VaultCredential store using HashiCorp Vault
Credential store using HashiCorp Vault
 
Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策Active Directory 侵害と推奨対策
Active Directory 侵害と推奨対策
 
OAuth2 + API Security
OAuth2 + API SecurityOAuth2 + API Security
OAuth2 + API Security
 
Deep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons LearnedDeep Dive into Keystone Tokens and Lessons Learned
Deep Dive into Keystone Tokens and Lessons Learned
 
Vault 101
Vault 101Vault 101
Vault 101
 
Rego Deep Dive
Rego Deep DiveRego Deep Dive
Rego Deep Dive
 
OAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティOAuth 2.0の概要とセキュリティ
OAuth 2.0の概要とセキュリティ
 
KeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについてKeycloakのDevice Flow、CIBAについて
KeycloakのDevice Flow、CIBAについて
 
FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門FIDO認証によるパスワードレスログイン実装入門
FIDO認証によるパスワードレスログイン実装入門
 
Owasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root CausesOwasp Top 10 And Security Flaw Root Causes
Owasp Top 10 And Security Flaw Root Causes
 
Keycloakのステップアップ認証について
Keycloakのステップアップ認証についてKeycloakのステップアップ認証について
Keycloakのステップアップ認証について
 
OAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep DiveOAuth & OpenID Connect Deep Dive
OAuth & OpenID Connect Deep Dive
 
Keycloakの動向
Keycloakの動向Keycloakの動向
Keycloakの動向
 
SSIとDIDで何を解決したいのか?(β版)
SSIとDIDで何を解決したいのか?(β版)SSIとDIDで何を解決したいのか?(β版)
SSIとDIDで何を解決したいのか?(β版)
 
これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用これからのネイティブアプリにおけるOpenID Connectの活用
これからのネイティブアプリにおけるOpenID Connectの活用
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable Credentials
 
OpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンスOpenID Connect のビジネスチャンス
OpenID Connect のビジネスチャンス
 

Semelhante a Building an Ethereum Wallet using Hashicorp Vault

Build your own private blockchain based on ethereum
Build your own private blockchain based on ethereumBuild your own private blockchain based on ethereum
Build your own private blockchain based on ethereumMehran Pourvahab
 
Introduction_to_Blockchain_&_Ethereum.pptx
Introduction_to_Blockchain_&_Ethereum.pptxIntroduction_to_Blockchain_&_Ethereum.pptx
Introduction_to_Blockchain_&_Ethereum.pptxWijdenBenothmen1
 
Blockchain Workshop - Software Freedom Day 2017
Blockchain Workshop - Software Freedom Day 2017Blockchain Workshop - Software Freedom Day 2017
Blockchain Workshop - Software Freedom Day 2017Zied GUESMI
 
Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...
Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...
Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...Cyber Fund
 
Hands on with Smart Contracts session #3
Hands on with Smart Contracts session #3Hands on with Smart Contracts session #3
Hands on with Smart Contracts session #3Gene Leybzon
 
Blockchain and smart contracts day 2
Blockchain and smart contracts day 2Blockchain and smart contracts day 2
Blockchain and smart contracts day 2Gene Leybzon
 
Ethereum dapps20171205
Ethereum dapps20171205Ethereum dapps20171205
Ethereum dapps20171205Hu Kenneth
 
CoreOS: Control Your Fleet
CoreOS: Control Your FleetCoreOS: Control Your Fleet
CoreOS: Control Your FleetMatthew Jones
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentThierry Gayet
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheCris Holdorph
 
Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...
Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...
Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...Edureka!
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Githubhubx
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Akeyless
 
Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존동수 장
 
Un monde où 1 ms vaut 100 M€ - Devoxx France 2015
Un monde où 1 ms vaut 100 M€ - Devoxx France 2015Un monde où 1 ms vaut 100 M€ - Devoxx France 2015
Un monde où 1 ms vaut 100 M€ - Devoxx France 2015ThierryAbalea
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsAPNIC
 

Semelhante a Building an Ethereum Wallet using Hashicorp Vault (20)

Build your own private blockchain based on ethereum
Build your own private blockchain based on ethereumBuild your own private blockchain based on ethereum
Build your own private blockchain based on ethereum
 
Introduction_to_Blockchain_&_Ethereum.pptx
Introduction_to_Blockchain_&_Ethereum.pptxIntroduction_to_Blockchain_&_Ethereum.pptx
Introduction_to_Blockchain_&_Ethereum.pptx
 
Blockchain Workshop - Software Freedom Day 2017
Blockchain Workshop - Software Freedom Day 2017Blockchain Workshop - Software Freedom Day 2017
Blockchain Workshop - Software Freedom Day 2017
 
Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...
Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...
Смарт-контракты: базовые инструменты для разработки и тестирования. Спикер: Д...
 
Hands on with Smart Contracts session #3
Hands on with Smart Contracts session #3Hands on with Smart Contracts session #3
Hands on with Smart Contracts session #3
 
Blockchain and smart contracts day 2
Blockchain and smart contracts day 2Blockchain and smart contracts day 2
Blockchain and smart contracts day 2
 
Ethereum dapps20171205
Ethereum dapps20171205Ethereum dapps20171205
Ethereum dapps20171205
 
CoreOS: Control Your Fleet
CoreOS: Control Your FleetCoreOS: Control Your Fleet
CoreOS: Control Your Fleet
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-Obfuscation
 
Passbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managmentPassbolt Introduction and Usage for secret managment
Passbolt Introduction and Usage for secret managment
 
Bsides final
Bsides finalBsides final
Bsides final
 
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCacheClustering Made Easier: Using Terracotta with Hibernate and/or EHCache
Clustering Made Easier: Using Terracotta with Hibernate and/or EHCache
 
Ethereum A to Z
Ethereum A to ZEthereum A to Z
Ethereum A to Z
 
Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...
Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...
Ethereum Explained | Understanding Ethereum Blockchain Protocols | Ethereum C...
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & GithubJump into Squeak - Integrate Squeak projects with Docker & Github
Jump into Squeak - Integrate Squeak projects with Docker & Github
 
FIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT DevicesFIWARE Wednesday Webinars - How to Secure IoT Devices
FIWARE Wednesday Webinars - How to Secure IoT Devices
 
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
Stopping the Hassle of SSH keys by using SSH certificates - Community Summit ...
 
Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존Java/Spring과 Node.js의공존
Java/Spring과 Node.js의공존
 
Un monde où 1 ms vaut 100 M€ - Devoxx France 2015
Un monde où 1 ms vaut 100 M€ - Devoxx France 2015Un monde où 1 ms vaut 100 M€ - Devoxx France 2015
Un monde où 1 ms vaut 100 M€ - Devoxx France 2015
 
Threat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my HoneypotsThreat Con 2021: What's Hitting my Honeypots
Threat Con 2021: What's Hitting my Honeypots
 

Último

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demoHarshalMandlekar2
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 

Último (20)

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Sample pptx for embedding into website for demo
Sample pptx for embedding into website for demoSample pptx for embedding into website for demo
Sample pptx for embedding into website for demo
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 

Building an Ethereum Wallet using Hashicorp Vault

  • 1. BRINGING ETHEREUM TO THE ENTERPRISE BUILDING A HASHICORP VAULT PLUGIN FOR ETHEREUM jeff ploughman jeff@immutability.io
  • 2. +
  • 5. MOTIVATION learn through experimentation build better tools bridge ecosystems to enable innovation
  • 6. MOTIVATION learn through experimentation build better tools bridge ecosystems to enable innovation solve a specific use case
  • 7. what is ethereum? • ethereum is a network and a computer • ethereum has a blockchain • ethereum has a built-in cryptocurrency: ether (ETH) • ethereum uses proof-of-work • ethereum is public, permissionless, and serverless • ethereum is decentralized ETHEREUM OVERVIEW
  • 8. ETHEREUM CONCEPTS accounts smart contracts gas and gas price clients/nodes transactions miners
  • 19. INSTALL HASHICORP VAULT AND ETHEREUM PLUGIN
  • 20. ADD MFA $ export VAULT_TOKEN=$(keybase decrypt -i $KEYBASE_USER"_VAULT_TOKEN.txt") $ vault policy-write ethereum_root ethereum_root.hcl $ vault auth-enable github $ vault write auth/github/config organization=$GITHUB_ORG max_ttl="1h" ttl="1h” $ vault write auth/github/map/users/$GITHUB_USER value=ethereum_root $ vault write auth/github/mfa_config type=duo $ vault write auth/github/duo/access host=$DUO_API_HOSTNAME ikey=$DUO_INTEGRATION_KEY skey=$DUO_SECRET_KEY $ vault write auth/github/duo/config user_agent="" username_format="%s-ethereum” $ unset VAULT_TOKEN
  • 21. ENROLL DEVICE $ export VAULT_AUTH_GITHUB_TOKEN=… $ vault auth -method=github Error making API request. URL: PUT https://localhost:8200/v1/auth/github/login Code: 400. Errors: * Enroll an authentication device to proceed (https://api-79cd4b94.duosecurity.com/portal?code=b3a236d5305b281d&akey=DAD7U2QRME0F43UFPT20) $ vault auth -method=github Successfully authenticated! You are now logged in. The token below is already saved in the session. You do not need to "vault auth" again with the token. token: 48b49ccf-f6d3-de60-0a53-3f583fcd823c token_duration: 3599 token_policies: [default ethereum_root]
  • 24. $ RPC_PORT=8546 ETHERBASE=$(vault write -format=json ethereum/accounts/etherbase chain_id=1977 generate_passphrase=true | jq .data.account | tr -d '"') ./runminer.sh etherbase Destroying old container ethereum-etherbase... ethereum-etherbase ethereum-etherbase Starting ethereum-etherbase 4174b66b3001adb12307958d54def6b493077eab0eb48f4b8018e966a82c083f MINE INTO ACCOUNT
  • 25. $ vault read ethereum/accounts/etherbase Key Value --- ----- address 0xa2d0566A6DCb1Eb7687F40E373ed7d53af44dD05 chain_id 1977 pending_balance 95000000000000000000 pending_nonce 0 pending_tx_count 0 rpc_url http://localhost:8545 GET ACCOUNT BALANCE
  • 26. IMPORT EOA $ read -s PASSPHRASE; vault write ethereum/import/oldwallet path=/Users/immutability/.ethereum/keystore/UTC--2017-12-01T23-13-37.315592353Z-- a152e7a09267bcff6c33388caab403b76b889939 passphrase=$PASSPHRASE; unset PASSPHRASE Key Value --- ----- path /Users/immutability/.ethereum/keystore/UTC--2017-12-01T23-13-37.315592353Z-- a152e7a09267bcff6c33388caab403b76b889939
  • 27. EXPORT EOA $ vault write ethereum/accounts/etherbase/export directory=. Key Value --- ----- path /Users/immutability/.ethereum/keystore/UTC--2017-12-01T23-13-37.315592353Z-- a152e7a09267bcff6c33388caab403b76b88993 $ vault read ethereum/accounts/etherbase/passphrase Key Value --- ----- passphrase chute-nylon-yanking-overtly-ipod-sheath-register-ounce
  • 28. SEND ETH $ vault write ethereum/accounts/oldwallet/debit to=0x0374E76DA2f0bE85a9FdC6763864c1087e6Ed28b value=10000000000000000000 Key Value --- ----- tx_hash 0xe99f3de1dfbae82121a009b9d3a2a60174f2904721ec114a8fc5454a96e62ba8
  • 29. BUILD CONTRACT $ dapp build + dapp clean + rm -rf out + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --abi --bin --bin-runtime = -o out/ src/Helloworld.sol + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --combined-json=abi,bin,bin- runtime,srcmap,srcmap-runtime,ast = src/Helloworld.sol + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --abi --bin --bin-runtime = -o out/ src/Helloworld.t.sol + solc --overwrite ds-test/=lib/ds-test/src/ ds-test=lib/ds-test/src/index.sol --combined-json=abi,bin,bin- runtime,srcmap,srcmap-runtime,ast = src/Helloworld.t.sol dapphub tools
  • 30. DEPLOY CONTRACT $ vault write ethereum/accounts/oldwallet/contracts/helloworld transaction_data=@Helloworld.bin value=10000000000000000000 gas_price=21000000000 gas_limit=1500000 Key Value --- ----- account_address 0x206d4B8aB00F1D3FdD3683A318776942f82A7F28 pending_balance 200779500000000000000 pending_nonce 7 pending_tx_count 0 tx_hash 0x206ba52b1edd32510e6ab607bbfbba70369595210d22885b3067868a376e9677
  • 31. CONTRACT ADDRESS $ vault read ethereum/accounts/oldwallet/contracts/helloworld Key Value --- ----- contract_address 0x9dC730499BbAe80F4241a2523C516919C69339Af tx_hash 0x206ba52b1edd32510e6ab607bbfbba70369595210d22885b3067868a376e9677
  • 32. WARM/COLD STORAGE # Kill Vault and copy to removeable media $ kill -2 $(ps aux | grep '/usr/local/bin/vault server' | awk '{print $2}') $ mv -f $HOME/etc $WARM_STORAGE/etc $ mv "$KEYBASE_USER"_* $WARM_STORAGE # Restore from removeable media $ mv -f $WARM_STORAGE/etc $HOME/etc $ nohup /usr/local/bin/vault server -config $HOME/etc/vault.d/vault.hcl &> /dev/null & $ mv $WARM_STORAGE/"$KEYBASE_USER"_* . $ vault unseal $(keybase decrypt -i $KEYBASE_USER"_UNSEAL_1.txt") $ vault unseal $(keybase decrypt -i $KEYBASE_USER"_UNSEAL_2.txt") $ vault unseal $(keybase decrypt -i $KEYBASE_USER"_UNSEAL_3.txt")
  • 33. WHAT’S NEXT? container orchestration concourse pipeline oracle reference implementation smart contract test harness vault plugins for other cryptocurrencies? vault plugins for exchanges?
  • 34. THANK YOU! i hope this talk proved interesting and useful. more so, i hope that it inspires you to build oss tools for the ethereum ecosystem and participate in the oss community. please feel free to connect with me via linked in: https://www.linkedin.com/in/immutability/
  • 35. IMMUTABILITY'S DOCKER HUB HASHICORP VAULT ETHEREUM'S GO CLIENT IMMUTABILITY'S GITHUB DC-BALTIMORE HASHICORP USER GROUP

Notas do Editor

  1. Hello, I’m Jeff Welcome to the 2nd meetup of the DC-Balitmore Hashicorp User Group. Today, we are going to talk about secrets – and not in hushed tones. We will talk about Hashicorp Vault and it’s new plugin architecture. We will talk a *little* about Ethereum. And, I will share with you the results of some experiments that I have done. The bulk of this presentation is a live demo rather than just PowerPoint - I suck at PowerPoint. I will be installing most of the tools I will use for the demo from scratch, so there should be a little tight-rope tension to the talk. My hope is that everything I do here can be done on your own machine. I will pause briefly after the Ethereum overview for questions. I will pause briefly after the Vault overview for questions.
  2. Today we are going to discuss the mechanics and motivations for using HashiCorp Vault as an Ethereum wallet. If you haven’t heard of HashiCorp Vault, it is the premier OSS secrets management solution for enterprises. My day job involves automating the provisioning of Vault policies and secrets and integrating Vault into DevOps workflows. If you haven’t heard of Ethereum, it is the most innovative ecosystem in the blockchain world. I will give a brief overview in a moment.
  3. Before I talk about the mechanics of Vault or give an overview of Ethereum, I’d like to talk briefly about why I did this. The first motivation is probably something you all can relate to: the best way to learn a new technology is to build something useful – to experiment. Since I use Vault a lot, I needed to learn the new plugin architecture; since I am passionate about Ethereum, I wanted to get closer to the mechanics of its client.
  4. I attended DevCon3 last November and was quite intrigued by a recurrent theme in most presentations. Seemed that each team lamented the lack of development tools in the ecosystem and made mention that their first order of business after ICO funding was to build their own development environments from the ground up.
  5. The Ethereum ecosystem is based on decentralization – where infrastructure means a laptop. I believe that the immutable architecture community has a maturity and wealth of techniques that could bring much innovation to Ethereum.
  6. Also, I wanted to solve a specific use case… securely: more about that later.
  7. what is ethereum ethereum is software running on a network of computers that ensures that data and small computer programs called smart contracts are replicated and processed on all the computers on the network, without a central coordinator. the vision is to create an unstoppable censorship-resistant self-sustaining decentralised world computer. It does that using a blockchain and a cryptocurrency. Cryptocurrency is not an end in itself in the Ethereum ecosystem – it is a means to create rewards to operate the network/computer and it is a security mechanism. Every transaction you send has a cost – this prevents spamming of the network. Ethereum currently uses proof-of-work as the consensus mechanism – this is called Nakamoto consensus. Nakamoto consensus doesn’t require any trusted parties or pre-assumed identities among the participants. PoW is extremely consumptive of energy. Ethereum will move to PoS at some time in the next 2 years.
  8. In this demo, we will touch on a few core Ethereum concepts. The most important of which is an account - in bitcoin, there is a concept called address where bitcoins are stored – like a bank account number. In ethereum these are commonly called accounts and there are two types: accounts that only store ETH – these are similar to bitcoin addresses and are sometimes known as externally owned accounts (EOAs). you make payments from these accounts by signing transactions with the appropriate private key smart contracts are accounts that store ETH and have code that can be run These smart contracts are little computer programs that are stored on ethereum’s blockchain. they can be activated, or run, by funding them with some ETH. When you activate a smart contract, you ask all the miners in the whole network to each individually perform the calculations within it. this costs them time and energy, and gas is the mechanism by which you pay them for that service. Ethereum is a network of nodes or clients. In this presentation I will use the go-ethereum client – geth. Nodes can be light or full – terms that describe the amount of blockchain data present on the node. Nodes can be read-only or nodes can be miners. You interact with the Ethereum ecosystem by sending transactions - transactions to send ETH to other EOAs, transactions to deploy smart contracts, transactions to execute code. The way transactions get applied to the ledger – the blockchain – is by mining.
  9. vault is a tool for securely accessing secrets. a secret is anything that you want to tightly control access to, such as api keys, passwords, certificates, etc. In our scenario, the private key associated with an Ethereum account is a secret - so is its passphrase. Vault also maintains detailed and secure audit log. Vault is best seen as a broker between authentication backends and secret backends – many authentication methods are supported and many kinds of secrets. Every authenticated identity is attached to a policy that governs access to secrets.
  10. There is a ceremony to using vault that mirrors the model for most permissioned websites: You authenticate to one of many AuthN backends You receive a session token that is used for subsequent access to Vault. This session token is attached to a set of polices that Vault uses to authorize access to secrets You access secrets
  11. Recently, HashiCorp documented their plugin architecture and allowed developers to build their own backend plugins – secrets, authentication or audit. A plugin is Golang code that you compile into a single file executable. A vault administrator registers a plugin with Vault by adding it and a sha256 sum to a catalog. When vault wants to run a plugin, it first looks up the plugin, by name, in the catalog. it then checks the executable's sha256 sum against the one configured in the plugin catalog. finally vault runs the command configured in the catalog.
  12. I mentioned earlier that a particular use case was motivation for this experiment. Let me try to describe the problem: Ethereum is decentralized. That is great. However, there is a bit of ideological fervor … zeolotry? to the commitment to decentralization: The attitude at times seems like: I just need my laptop… that’s all I need…. we don't need any of that centralized infrastructure... we don't need any servers... well maybe a well-known bootnode... but then a scaling issue occurs (kittens?) and some benefactor (Infura) runs a bunch of read only nodes to satiate demand. the fact is, when you work in any sort of collaborative environment, there are reasons why you might want to manage infrastructure beyond a single laptop. As soon as you want to do enterprise scale software development, even decentralization zealots will start to realize that they need more… and more.
  13. Here is the use case: RPC communication to Ethereum nodes is not over TLS – just straight up HTTP. This means that running a node anywhere other than you laptop, is a problem: because the keystores live, encrypted, on a node and the passphrase to decrypt them lives elsewhere. The "official" guidance is to use IPC as a communication mechanism between wallets and nodes, but, this isn’t awesome because your wallet has to live on the same machine as the client - scalability be damned. Furthermore, what about CI/CD and smart contracts? A shared pipeline is a critical enabler of development at scale. How would that work? Even if you run a node on your build slave, you have the problem of how to get the passphrase to that node.
  14. Finally, we are to my plugin – the vault ethereum plugin. the vault ethereum plugin is intended to provide many of the capabilities of an ethereum wallet within the context of the enterprise. it is designed to support smart contract CI/CD practices. none of the functionality requires a local ethereum node to be running. It uses vault to store the private keys AND passphrases for your ethereum accounts. You authenticate to vault using any desired mechanism (including MFA – demoed.) You then sign and send transactions from vault without the private keys or passphrases ever leaving the secure boundary of vault Passphrases are available at a specific path that can be protected with additional policies.
  15. The prerequisites for this demo are simple: You need Docker to run the Ethereum client; and, you need Keybase to encrypt your vault keys.
  16. Run ./install.sh This will create a self signed certificate, download vault and the vault ethereum plugin, check their SHA256SUMS, install vault and the plugin, start vault, and unseal it. The unseal keys and the root token are encrypted with your Keybase PGP key and saved as files on the file system. Run ./github.sh This will enable authentication against the github backend and create a role for me in my GH organization.
  17. So, now we are going to add MFA to our Ethereum wallet. How many of you using MetaMask or Mist have that? DUO has a free service that gives MFA capability to up to 10 users and it is supported by HashiCorp Vault. This is the first inkling of the ecosystem bridge that I was talking about afforded to the Ethereum community by the HashiCorp community. I have already enrolled myself and my device with DUO. I will attempt to enroll a brand new GitHub user here now. This user has to be a member of the GitHub organization. ./github_user.sh cipher-punk cypherhat
  18. Now we authenticate to Vault. Since our user hasn’t been enrolled in MFA, this will fail. So, we go to the DUO site (with the URL supplied) and we enroll the device. After enrollment, we authenticate again. Assuming that all worked according to plan, our phone will chirp, and we will confirm.
  19. Now we will install Ethereum. It must be said, that for the purpose of this demo, I have already installed Ethereum – as a private chain - and run it the first time. I did this because it takes a little while (~30-45 minutes) to create the initial DAG used as a foundational data structure for Ethereum's PoW mechanism. I have wiped everything and reinstalled enough times to be confident that your mileage should not vary if you try to do this at home. Nevertheless, I will walk through the installation steps as if this was a virgin install. So, first we pull the docker images. I have a script that does this - named pull_images.sh curiously enough. I am running portainer – this is totally not necessary. But, I use it because it saves some typing and lets me get a big picture of my docker environment. The first thing we have to do is start a bootnode. The bootnode, addressable by a URL, is how the Ethereum clients will discover each other. ./bootnode.sh ./getbootnodeurl.sh – to see the URL Now we start our first Ethereum client – this will be a read only client. I will name it `ethereum-wallet`. I will start it listening on port 8545: RPC_PORT=8545 ./runnode.sh wallet And lastly, we will start mining Ethereum – in order to commit transactions as well as to have some ETH to play with. But, before we do that, I want to create an Ethereum account (an EOA) that we will send the mined ETH into. How will we create such an account? Hmm…
  20. We will use our Vault Ethereum plugin of course! And, we will do it in one line. RPC_PORT=8546 ETHERBASE=$(vault write -format=json ethereum/accounts/etherbase chain_id=1977 generate_passphrase=true | jq .data.account | tr -d '"') ./runminer.sh etherbase
  21. Let’s check the balance. It should read 0 initially, but then quickly start to increase.
  22. Now, as I mentioned, I had already installed Ethereum locally. I have been mining into an account for about a day to create some funds to use in this demo. I could have run an Ethereum faucet, but I prefer the development environment to mirror the production environment as much as possible. The use case I am trying to simulate is: imagine that you have never used this wonderful Ethereum Vault plugin, but you have been convinced of its awesomeness, so you want to bring existing accounts in. This is simple: you import a JSON keystore. All you need is the passphrase used to encrypt the keystore and the keystore file. Keystore files (for geth) are located in ~/.ethereum/keystore $ vault write ethereum/import/oldwallet path=/Users/immutability/.ethereum/keystore/UTC--2018-01-15T15-20-58.882677940Z--204baf5cbad527c918e4f7ead9bf88051bdca38a passphrase=$(cat /keybase/private/cypherhat/ethereum_test/demo.key) chain_id=1977 $ vault read ethereum/accounts/oldwallet
  23. And while the Vault Ethereum wallet is awesome, it doesn’t have a UI. So, if you want to move your account into another wallet this is pretty easy too. You export the account into a directory - the keystore file is returned. You will also need the passphrase for this keystore. Let’s open up MetaMask to demonstrate.
  24. So, we have created Ethereum accounts and moved them gracefully between Vault and wallets. Let’s now move some ETH! Sending ETH is simple – we debit the account. We need an account address to send the ETH to and the value (in Wei.) The gas amount and price are defaulted. In a production environment you would not use these defaults! I will be adding code for better gas/gas price estimation. The result is the transaction hash which can be seen in the logs and the blockchain. Since the account that is credited is in my MetaMask wallet, we can go there to see that the ETH was indeed transferred.
  25. The last order of business is to deploy an Ethereum smart contract. I am not going to get into the Solidity development environment at all except to say that I am liking the tools from the MakerDAO guys – Dapphub tools. This is a nix-based environment that is very friendly if you are used to Unix development. I have a very simple contract – a Helloworld contract – that I will build. This produces a couple of things: The ABI file – which is a JSON description of the Contract’s interface; and, The bin file – which is the EVM byte code. It is the EVM byte code that we deploy.
  26. To deploy a contract, we have to fund the contract and pay for deployment. Let’s use the account we just imported. When we deploy the contract we provide values for the ETH that will fund the contract and the gas that will pay for the transaction.
  27. The transaction doesn’t get committed immediately, so we won’t know the contract_address immediately. We will have to poll the Ethereum network for the address – the vault read command on the contract path does this.
  28. Now, the best way to make sure that your ETH remains your ETH is to take your wallet offline. We do this by killing the vault process and copying the data to a flash drive. We also copy the PGP encrypted keys to a flash drive. Obviously, this needn’t be the same flash drive, but this is just a demonstration on how you can take your wallet offline and then restore simply and securely. Note: We are once again leveraging Keybase to secure our Vault keys. To go cold (more like warm) we run the warm script: ./warm.sh cypherhat ~/cold We verify that vault is indeed offline: vault read ethereum/accounts/oldwallet And to go back online, we run the hot script: ./hot.sh cypherhat ~/cold
  29. That’s about it. As you can see, there was a lot here; but, there is much more needed to fulfill the motivation of building modern DevOps practices into the Ethereum ecosystem. So I will leave you with a list of items that I will be focusing on. I hope that you will help me. Cheers!
  30. Now, the best way to make sure that your ETH remains your ETH is to take your wallet offline. We do this by killing the vault process and copying the data to a flash drive. We also copy the PGP encrypted keys to a flash drive. Obviously, this needn’t be the same flash drive, but this is just a demonstration on how you can take your wallet offline and then restore simply and securely. Note: We are once again leveraging Keybase to secure our Vault keys. To go cold (more like warm) we run the warm script: ./warm.sh cypherhat ~/cold We verify that vault is indeed offline: vault read ethereum/accounts/oldwallet And to go back online, we run the hot script: ./hot.sh cypherhat ~/cold