This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to BSidesLV 2016, our 8th annual BSides in beautiful Las Vegas, Nevada!
View analytic
Wednesday, August 3 • 17:00 - 17:50
PAL is your pal: Bootstrapping secrets in Docker

Sign up or log in to save this to your schedule and see who's attending!

Many services that run in Docker containers need to have highly sensitive secrets installed on them. Examples of this include SSL certificates and API keys. Services like Vault and Keywhiz were developed to manage secrets to central authority, however, most of these secret management services require a secret to be present. This presents a bootstrapping problem. To solve this, CloudFlare created PAL: a new tool for bootstrapping secrets in Docker containers.

PAL (Permissive Action Link, named after a tool used to prevent unauthorized detonation of nuclear devices) works by binding identity secrets to Docker containers and decrypting them at launch time through a service running on the host. Permissions require M of N authorization and are handled through a service called Red October. This allows you to simply and transparently bootstrap service-specific secrets.

In this talk I’ll describe the design and implementation of this service and how we use it at CloudFlare to protect secrets for our billing platform and private key infrastructure. We’ll also briefly discuss our plans to use PAL for password hashing and service authorization.


Nick Sullivan

Head of Cryptography, CloudFlare Inc.
Nick Sullivan is a leading cryptography and security technologist. He currently works on cryptographic products and strategy for CloudFlare. Previously, he held the prestigious title of "Mathemagician" at Apple, where he encrypted books, songs, movies and other varieties of mass media. | | Talk to Nick about crypto, TLS, infrastructure security, key management and startup security.

Wednesday August 3, 2016 17:00 - 17:50
Passwords16 Tuscany