BSidesLV 2016 has ended
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
Wednesday, August 3 • 17:00 - 17:50
PAL is your pal: Bootstrapping secrets in Docker

Sign up or log in to save this to your schedule and see who's attending!

Many services that run in Docker containers need to have highly sensitive secrets installed on them. Examples of this include SSL certificates and API keys. Services like Vault and Keywhiz were developed to manage secrets to central authority, however, most of these secret management services require a secret to be present. This presents a bootstrapping problem. To solve this, CloudFlare created PAL: a new tool for bootstrapping secrets in Docker containers.

PAL (Permissive Action Link, named after a tool used to prevent unauthorized detonation of nuclear devices) works by binding identity secrets to Docker containers and decrypting them at launch time through a service running on the host. Permissions require M of N authorization and are handled through a service called Red October. This allows you to simply and transparently bootstrap service-specific secrets.

In this talk I’ll describe the design and implementation of this service and how we use it at CloudFlare to protect secrets for our billing platform and private key infrastructure. We’ll also briefly discuss our plans to use PAL for password hashing and service authorization.

avatar for Nick Sullivan (CloudFlare, Inc.)

Nick Sullivan (CloudFlare, Inc.)

Head of Cryptography, Cloudflare
Nick Sullivan is a leading cryptography and security technologist. As Head of Cryptography at Cloudflare, a top Internet performance and security company, he is responsible for overseeing all cryptographic products and strategy for the company. He was instrumental in building Cloudflare’s... Read More →

Wednesday August 3, 2016 17:00 - 17:50
Passwords16 Tuscany