Managing Server Secrets at Scale with a Vaultless Password Manager

Monday, May 22, 2017 - 2:05pm3:00pm

Ignat Korchagin, Cloudflare


Operating a datacenter or a distributed network involves handling a lot of secrets. In most cases, you have to deal with at least four types of secrets for each piece of hardware: SSH server key, key to bootstrap your configuration management system, disk encryption key, and some per-server credentials to access other services. And often, these keys have to be set up before your configuration management kicks in, making the automation of this process more difficult.

Security-wise, it is important to control where and when those secrets are generated. Often, keys are generated by startup scripts. However, during initial boot (especially on diskless systems), the system may have a low entropy level in its internal random number generator, resulting in statistically weak generated keys.

And once you have your keys, you need to store them securely. This presents a chicken-and-egg problem. Encrypted disk is a great solution, but? You need a key to access an encrypted disk and where do you store that? Also, where do you store keys for diskless systems?

This talk presents an approach that combines hardware support and cryptography to deal with the above issues and unify and simplify secret management for your hardware fleet.

Ignat Korchagin, Cloudflare

Ignat is a systems engineer at Cloudflare working mostly on platform and hardware security. Ignat’s interests are cryptography, hacking, and low-level programming. Before Cloudflare, Ignat worked as senior security engineer for Samsung Electronics’ Mobile Communications Division. His solutions may be found in many older Samsung smart phones and tablets.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@conference {203289,
author = {Ignat Korchagin},
title = {Managing Server Secrets at Scale with a Vaultless Password Manager},
year = {2017},
publisher = {USENIX Association},
month = may

Presentation Video 

Presentation Audio