From 34af26ac4090b7f3eb8048d0c3ea4468a6d4ceeb Mon Sep 17 00:00:00 2001 From: wwy-hust Date: Fri, 8 May 2015 17:41:40 +0800 Subject: [PATCH 1/3] finish first translate, need more modification --- ...tore Passwords and Api Keys Using Vault.md | 166 ++++++++++++++++++ 1 file changed, 166 insertions(+) create mode 100644 translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md diff --git a/translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md b/translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md new file mode 100644 index 0000000000..4fdfb4c9e6 --- /dev/null +++ b/translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md @@ -0,0 +1,166 @@ +如何使用Vault安全的存储密码和API密钥 +======================================================================= +Vault是用于安全的获取保密信息的工具。他可以保存密码、API密钥、证书等信息。Vault通过强访问控制机制和高扩展性的事件日志提供了一个统一的接口来访问保密信息。 + +对关键信息的准许访问是一个困难的问题,尤其是当有许多用户角色和用户请求不同的关键信息,例如使用不同的权限登录数据库的细节,对外服务的API密钥,面向服务的架构的通信证书等。当保密信息由不同的平台进行管理,并且使用一些自定义的配置时,情况变得更糟,因此,安全的存储、管理审计日志几乎是不可能的。但Vault为这种复杂情况提供了一个解决方案。 + +### 突出特点 ### + +数据加密:Vault能够保证在不存储数据的情况下对数据进行加密、解密。开发者们现在便可以存储加密后的数据而无需开发他们自己的加密技术,Vault还允许安全团队自定义安全参数。 + +**安全密码存储**:Vault在将保密信息(API密钥、密码、证书)存储到持久化存储之前对数据进行加密。因此,如果有人偶尔拿到了获取存储的数据的权限,这也没有任何意义,除非数据被解密。 + +**动态密码**:Vault为类似AWS和SQL数据库的系统按需产生密码。如果应用需要获得AWS S3的桶,例如,它向Vault请求AWS密钥对,即请求需要的保密信息一段租用期。这个保密信息在租用时间过期后将变得不可用。 + +**租赁和更新**:Vault以租用期为限制授予保密信息,一旦租用期过期,它便立刻收回保密信息,如果应用仍需要保密信息,则可以通过API更新租用期。 + +**撤销**:在租用期到期之前,Vault可以撤销一个保密信息或者一个保密信息树。 + +### 安装Vault ### + +有两种方式来安装使用Vault。 + +**1. 预编译的Vault二进制** 能用于所有的Linux发行版,下载地址如下,一旦下载完成,解压并将它放在系统PATH路径下,以便方便的调用。 + +- [Download Precompiled Vault Binary (32-bit)][1] +- [Download Precompiled Vault Binary (64-bit)][2] +- [Download Precompiled Vault Binary (ARM)][3] + +下载相应的预编译的Vault二进制版本。 + +![wget binary](http://blog.linoxide.com/wp-content/uploads/2015/04/wget-binary.png) + +解压下载到的二进制版本。 + +![vault](http://blog.linoxide.com/wp-content/uploads/2015/04/unzip.png) + +祝贺!您现在可以使用Vault了。 + +![](http://blog.linoxide.com/wp-content/uploads/2015/04/vault.png) + +**2. 从源代码编译** 是另一种在系统中安装Vault的方式。在安装Vault之前需要安装GO和GIT。 + +在 **Redhat系统中安装GO** 使用下面的指令。 + + sudo yum install go + +在 **Debin系统中安装GO** 使用下面的指令。 + + sudo apt-get install golang + +或者 + + sudo add-apt-repository ppa:gophers/go + + sudo apt-get update + + sudo apt-get install golang-stable + +在 **Redhat系统中安装GIT** 使用下面的命令。 + + sudo yum install git + +在 **Debian系统中安装GIT** 使用下面的命令。 + + sudo apt-get install git + +一旦GO和GIT都已被安装好,我们便可以开始从源码编译安装Vault。 + +> 将下列的Vault仓库拷贝到GOPATH + + https://github.com/hashicorp/vault + +> 测试下面的文件是否存在,如果它不存在,那么Vault没有被克隆到合适的路径。 + + $GOPATH/src/github.com/hashicorp/vault/main.go + +> 执行下面的指令来编译Vault,并将二进制文件放到系统bin目录下。 + + make dev + +![path](http://blog.linoxide.com/wp-content/uploads/2015/04/installation4.png) + +### 一份Vault入门教程 ### + +我们已经编译了Vault的官方交互式教程,以及他在SSH上的输出 + +**概述** + +这份教程包括下列步骤: + +- 初始化,开启您的Vault +- 在Vault中对您的请求授权 +- 读写保密信息 +- 密封您的Vault + +**初始化您的Vault** + +首先,我们需要为您初始化一个Vault的工作实例。 +在初始化过程中,您可以配置Vault的密封行为。 +现在初始化Vault,简单起见,使用一个非密封密钥 + + vault init -key-shares=1 -key-threshold=1 + +您会注意到Vault在这里打印出了许多的密钥。不要清楚您的终端,这些密钥在后面的步骤中会使用到。 + +![Initializing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Initializing-SSH.png) + +**开启您的Vault** + +当一个Vault服务器启动时,它是密封的状态。在这种状态下,Vault被配置为知道在哪里和如何存取物理存储,但不知道如何对其进行解密。 +Vault使用加密密钥来加密数据。这个密钥由"主密钥"加密,主密钥不保存。解密主密钥需要一个碎片的阈值。在这个例子中,我们使用一个碎片来解密这个主密钥。 + + vault unseal + +![Unsealing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Unsealing-SSH.png) + +**为您的请求授权** + +在执行任何操作之前,连接的客户端应该被授权。授权的过程是检验一个人或者机器是不是他们说的那样,并被赋予了身份。这个身份在向Vault发送请求时被使用。 +为简单起见,我们将使用在步骤2中生成的root令牌。这个输出应该以滚动模式出现。 + + vault auth + +![Authorize SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Authorize-SSH.png) + +**读写保密信息** + +现在Vault已经被设置妥当,我们可以开始使用默认的密码后端读写保密信息了。写在Vault中的保密信息被加密并被写入后端的存储。后端存储机制不会查看未加密的值,并且没有任何无需Vault即可解密的必要信息。 + + vault write secret/hello value=world + +当然,您接下来便可以读这个保密信息了: + + vault read secret/hello + +![RW_SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/RW_SSH.png) + +**密封您的Vault** + +有一个API来密封Vault。它将丢掉加密密钥并需要其他解密过程来恢复它。密封仅需要一个拥有root权限的单独操作。这通常是一种罕见的"打破玻璃过程"的一部分。 +这种方式中,如果有一个检测到的入侵,Vault数据将会立刻被锁住,以便最小化损失。如果没有获取到主密钥碎片,它不会被再次获取。 + + vault seal + +![Seal Vault SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Seal-Vault-SSH.png) + +这便是入门教程的结尾。 + +### 总结 ### + +Vault是一个非常有用的应用,它提供了一个可靠且安全的存储关键信息的方式。另外,它在存储前加密关键信息,维护他的审计日志,并以租用期的方式获取保密信息,且一旦租用期过期,它将立刻收回保密信息。Vault是平台独立的,并且可以免费下载和安装。要发掘Vault的更多信息,请访问官方网站。 + +-------------------------------------------------------------------------------- + +via: http://linoxide.com/how-tos/secure-secret-store-vault/ + +作者:[Aun Raza][a] +译者:[译者ID](https://github.com/译者ID) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:http://linoxide.com/author/arunrz/ +[1]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_386.zip +[2]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_amd64.zip +[3]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_arm.zip From adec7006040adf445e6a64c3e176540ac3d75e70 Mon Sep 17 00:00:00 2001 From: wwy Date: Sat, 9 May 2015 09:34:28 +0800 Subject: [PATCH 2/3] Update 20150506 How to Securely Store Passwords and Api Keys Using Vault.md reviewed the translation, do some modification. --- ...tore Passwords and Api Keys Using Vault.md | 109 +++++++++--------- 1 file changed, 52 insertions(+), 57 deletions(-) diff --git a/translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md b/translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md index 4fdfb4c9e6..e9e54ac43d 100644 --- a/translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md +++ b/translated/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md @@ -1,54 +1,54 @@ -如何使用Vault安全的存储密码和API密钥 +濡備綍浣跨敤Vault瀹夊叏鐨勫瓨鍌ㄥ瘑鐮佸拰API瀵嗛挜 ======================================================================= -Vault是用于安全的获取保密信息的工具。他可以保存密码、API密钥、证书等信息。Vault通过强访问控制机制和高扩展性的事件日志提供了一个统一的接口来访问保密信息。 +Vault鏄敤鏉ュ畨鍏ㄧ殑鑾峰彇绉樺瘑淇℃伅鐨勫伐鍏枫備粬鍙互淇濆瓨瀵嗙爜銆丄PI瀵嗛挜銆佽瘉涔︾瓑淇℃伅銆俈ault閫氳繃寮鸿闂帶鍒舵満鍒跺拰楂樻墿灞曟х殑浜嬩欢鏃ュ織鎻愪緵浜嗕竴涓粺涓鐨勬帴鍙f潵璁块棶绉樺瘑淇℃伅銆 -对关键信息的准许访问是一个困难的问题,尤其是当有许多用户角色和用户请求不同的关键信息,例如使用不同的权限登录数据库的细节,对外服务的API密钥,面向服务的架构的通信证书等。当保密信息由不同的平台进行管理,并且使用一些自定义的配置时,情况变得更糟,因此,安全的存储、管理审计日志几乎是不可能的。但Vault为这种复杂情况提供了一个解决方案。 +瀵瑰叧閿俊鎭殑鎺堟潈璁块棶鏄竴涓洶闅剧殑闂锛屽挨鍏舵槸褰撴湁璁稿鐢ㄦ埛瑙掕壊鍜岀敤鎴疯姹備笉鍚岀殑鍏抽敭淇℃伅锛屼緥濡傜敤涓嶅悓鏉冮檺鐧诲綍鏁版嵁搴撶殑缁嗚妭锛屽澶栨湇鍔$殑API瀵嗛挜锛岄潰鍚戞湇鍔℃灦鏋勯氫俊鐨勮瘉涔︾瓑銆傚綋淇濆瘑淇℃伅鐢变笉鍚岀殑骞冲彴杩涜绠$悊锛屽苟浣跨敤涓浜涜嚜瀹氫箟鐨勯厤缃椂锛屾儏鍐靛彉寰楁洿绯燂紝鍥犳锛屽畨鍏ㄧ殑瀛樺偍銆佺鐞嗗璁℃棩蹇楀嚑涔庢槸涓嶅彲鑳界殑銆備絾Vault涓鸿繖绉嶅鏉傛儏鍐垫彁渚涗簡涓涓В鍐虫柟妗堛 -### 突出特点 ### +### 绐佸嚭鐗圭偣 ### -数据加密:Vault能够保证在不存储数据的情况下对数据进行加密、解密。开发者们现在便可以存储加密后的数据而无需开发他们自己的加密技术,Vault还允许安全团队自定义安全参数。 +鏁版嵁鍔犲瘑锛歏ault鑳藉鍦ㄤ笉瀛樺偍鏁版嵁鐨勬儏鍐典笅瀵规暟鎹繘琛屽姞瀵嗐佽В瀵嗐傚紑鍙戣呬滑渚垮彲浠ュ瓨鍌ㄥ姞瀵嗗悗鐨勬暟鎹屾棤闇寮鍙戣嚜宸辩殑鍔犲瘑鎶鏈紝Vault杩樺厑璁稿畨鍏ㄥ洟闃熻嚜瀹氫箟瀹夊叏鍙傛暟銆 -**安全密码存储**:Vault在将保密信息(API密钥、密码、证书)存储到持久化存储之前对数据进行加密。因此,如果有人偶尔拿到了获取存储的数据的权限,这也没有任何意义,除非数据被解密。 +**瀹夊叏瀵嗙爜瀛樺偍**锛歏ault鍦ㄥ皢绉樺瘑淇℃伅锛圓PI瀵嗛挜銆佸瘑鐮併佽瘉涔︼級瀛樺偍鍒版寔涔呭寲瀛樺偍涔嬪墠瀵规暟鎹繘琛屽姞瀵嗐傚洜姝わ紝濡傛灉鏈変汉鍋跺皵鎷垮埌浜嗚幏鍙栧瓨鍌ㄧ殑鏁版嵁鐨勬潈闄愶紝杩欎篃娌℃湁浠讳綍鎰忎箟锛岄櫎闈炲姞瀵嗗悗鐨勪俊鎭瑙e瘑銆 -**动态密码**:Vault为类似AWS和SQL数据库的系统按需产生密码。如果应用需要获得AWS S3的桶,例如,它向Vault请求AWS密钥对,即请求需要的保密信息一段租用期。这个保密信息在租用时间过期后将变得不可用。 +**鍔ㄦ佸瘑鐮**锛歏ault涓篈WS銆丼QL鏁版嵁搴撶被浼肩殑绯荤粺鎸夐渶浜х敓瀵嗙爜銆傚鏋滃簲鐢ㄩ渶瑕佽幏寰桝WS S3鐨勬《锛屾瘮濡傦紝瀹冨悜Vault璇锋眰AWS瀵嗛挜瀵癸紝Vault灏嗘巿浜堥渶瑕佺殑绉樺瘑淇℃伅涓娈电鐢ㄦ湡鏃堕棿銆備竴鏃︾鐢ㄦ湡杩囨湡锛岃繖涓瀵嗕俊鎭皢鍙樺緱涓嶅彲鐢ㄣ -**租赁和更新**:Vault以租用期为限制授予保密信息,一旦租用期过期,它便立刻收回保密信息,如果应用仍需要保密信息,则可以通过API更新租用期。 +**绉熻祦鍜屾洿鏂**锛歏ault浠ョ鐢ㄦ湡涓洪檺鍒舵巿浜堢瀵嗕俊鎭紝涓鏃︾鐢ㄦ湡杩囨湡锛屽畠渚跨珛鍒绘敹鍥炰繚瀵嗕俊鎭紝濡傛灉搴旂敤浠嶉渶瑕佷繚瀵嗕俊鎭紝鍒欏彲浠ラ氳繃API鏇存柊绉熺敤鏈熴 -**撤销**:在租用期到期之前,Vault可以撤销一个保密信息或者一个保密信息树。 +**鎾ら攢**锛氬湪绉熺敤鏈熷埌鏈熶箣鍓嶏紝Vault鍙互鎾ら攢涓涓瀵嗕俊鎭垨鑰呬竴涓瀵嗕俊鎭爲銆 -### 安装Vault ### +### 瀹夎Vault ### -有两种方式来安装使用Vault。 +鏈変袱绉嶆柟寮忔潵瀹夎浣跨敤Vault銆 -**1. 预编译的Vault二进制** 能用于所有的Linux发行版,下载地址如下,一旦下载完成,解压并将它放在系统PATH路径下,以便方便的调用。 +**1. 棰勭紪璇戠殑Vault浜岃繘鍒** 鑳界敤浜庢墍鏈夌殑Linux鍙戣鐗堬紝涓嬭浇鍦板潃濡備笅锛屼竴鏃︿笅杞藉畬鎴愶紝瑙e帇骞跺皢瀹冩斁鍦ㄧ郴缁烶ATH璺緞涓嬶紝浠ユ柟渚胯皟鐢ㄣ - [Download Precompiled Vault Binary (32-bit)][1] - [Download Precompiled Vault Binary (64-bit)][2] - [Download Precompiled Vault Binary (ARM)][3] -下载相应的预编译的Vault二进制版本。 +涓嬭浇鐩稿簲鐨勯缂栬瘧鐨刅ault浜岃繘鍒剁増鏈 ![wget binary](http://blog.linoxide.com/wp-content/uploads/2015/04/wget-binary.png) -解压下载到的二进制版本。 +瑙e帇涓嬭浇鍒版湰鍦扮殑浜岃繘鍒剁増鏈 ![vault](http://blog.linoxide.com/wp-content/uploads/2015/04/unzip.png) -祝贺!您现在可以使用Vault了。 +绁濊春锛佹偍鐜板湪鍙互浣跨敤Vault浜嗐 ![](http://blog.linoxide.com/wp-content/uploads/2015/04/vault.png) -**2. 从源代码编译** 是另一种在系统中安装Vault的方式。在安装Vault之前需要安装GO和GIT。 +**2. 浠庢簮浠g爜缂栬瘧** 鏄彟涓绉嶅湪绯荤粺涓畨瑁匳ault鐨勬柟寮忋傚湪瀹夎Vault涔嬪墠闇瑕佸畨瑁匞O鍜孏IT銆 -在 **Redhat系统中安装GO** 使用下面的指令。 +鍦 **Redhat绯荤粺涓畨瑁匞O** 浣跨敤涓嬮潰鐨勬寚浠ゃ sudo yum install go -在 **Debin系统中安装GO** 使用下面的指令。 +鍦 **Debin绯荤粺涓畨瑁匞O** 浣跨敤涓嬮潰鐨勬寚浠ゃ sudo apt-get install golang -或者 +鎴栬 sudo add-apt-repository ppa:gophers/go @@ -56,109 +56,104 @@ Vault sudo apt-get install golang-stable -在 **Redhat系统中安装GIT** 使用下面的命令。 +鍦 **Redhat绯荤粺涓畨瑁匞IT** 浣跨敤涓嬮潰鐨勫懡浠ゃ sudo yum install git -在 **Debian系统中安装GIT** 使用下面的命令。 +鍦 **Debian绯荤粺涓畨瑁匞IT** 浣跨敤涓嬮潰鐨勫懡浠ゃ sudo apt-get install git -一旦GO和GIT都已被安装好,我们便可以开始从源码编译安装Vault。 +涓鏃O鍜孏IT閮藉凡琚畨瑁呭ソ锛屾垜浠究鍙互寮濮嬩粠婧愮爜缂栬瘧瀹夎Vault銆 -> 将下列的Vault仓库拷贝到GOPATH +> 灏嗕笅鍒楃殑Vault浠撳簱鎷疯礉鑷矴OPATH https://github.com/hashicorp/vault -> 测试下面的文件是否存在,如果它不存在,那么Vault没有被克隆到合适的路径。 +> 娴嬭瘯涓嬮潰鐨勬枃浠舵槸鍚﹀瓨鍦紝濡傛灉瀹冧笉瀛樺湪锛岄偅涔圴ault娌℃湁琚厠闅嗗埌鍚堥傜殑璺緞銆 $GOPATH/src/github.com/hashicorp/vault/main.go -> 执行下面的指令来编译Vault,并将二进制文件放到系统bin目录下。 +> 鎵ц涓嬮潰鐨勬寚浠ゆ潵缂栬瘧Vault锛屽苟灏嗕簩杩涘埗鏂囦欢鏀惧埌绯荤粺bin鐩綍涓嬨 make dev ![path](http://blog.linoxide.com/wp-content/uploads/2015/04/installation4.png) -### 一份Vault入门教程 ### +### 涓浠絍ault鍏ラ棬鏁欑▼ ### -我们已经编译了Vault的官方交互式教程,以及他在SSH上的输出 +鎴戜滑宸茬粡缂栬瘧浜哣ault鐨勫畼鏂逛氦浜掑紡鏁欑▼锛屽苟灏嗗畠杈撳嚭鍒癝SH銆 -**概述** +**姒傝堪** -这份教程包括下列步骤: +杩欎唤鏁欑▼鍖呮嫭涓嬪垪姝ラ锛 -- 初始化,开启您的Vault -- 在Vault中对您的请求授权 -- 读写保密信息 -- 密封您的Vault +- 鍒濆鍖栵紝寮鍚偍鐨刅ault +- 鍦╒ault涓鎮ㄧ殑璇锋眰鎺堟潈 +- 璇诲啓绉樺瘑淇℃伅 +- 瀵嗗皝鎮ㄧ殑Vault -**初始化您的Vault** +**鍒濆鍖栨偍鐨刅ault** -首先,我们需要为您初始化一个Vault的工作实例。 -在初始化过程中,您可以配置Vault的密封行为。 -现在初始化Vault,简单起见,使用一个非密封密钥 +棣栧厛锛屾垜浠渶瑕佷负鎮ㄥ垵濮嬪寲涓涓猇ault鐨勫伐浣滃疄渚嬨傚湪鍒濆鍖栬繃绋嬩腑锛屾偍鍙互閰嶇疆Vault鐨勫瘑灏佽涓恒傜畝鍗曡捣瑙侊紝鐜板湪浣跨敤涓涓潪瀵嗗皝瀵嗛挜鏉ュ垵濮嬪寲Vault銆 vault init -key-shares=1 -key-threshold=1 -您会注意到Vault在这里打印出了许多的密钥。不要清楚您的终端,这些密钥在后面的步骤中会使用到。 +鎮ㄤ細娉ㄦ剰鍒癡ault鍦ㄨ繖閲屾墦鍗板嚭浜嗚澶氱殑瀵嗛挜銆備笉瑕佹竻闄ゆ偍鐨勭粓绔紝杩欎簺瀵嗛挜鍦ㄥ悗闈㈢殑姝ラ涓細浣跨敤鍒般 ![Initializing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Initializing-SSH.png) -**开启您的Vault** +**寮鍚偍鐨刅ault** -当一个Vault服务器启动时,它是密封的状态。在这种状态下,Vault被配置为知道在哪里和如何存取物理存储,但不知道如何对其进行解密。 -Vault使用加密密钥来加密数据。这个密钥由"主密钥"加密,主密钥不保存。解密主密钥需要一个碎片的阈值。在这个例子中,我们使用一个碎片来解密这个主密钥。 +褰撲竴涓猇ault鏈嶅姟鍣ㄥ惎鍔ㄦ椂锛屽畠鏄瘑灏佺殑鐘舵併傚湪杩欑鐘舵佷笅锛孷ault琚厤缃负鐭ラ亾鍦ㄥ摢閲屽拰濡備綍瀛樺彇鐗╃悊瀛樺偍锛屼絾涓嶇煡閬撳浣曞鍏惰繘琛岃В瀵嗐俈ault浣跨敤鍔犲瘑瀵嗛挜鏉ュ姞瀵嗘暟鎹傝繖涓瘑閽ョ敱"涓诲瘑閽"鍔犲瘑锛屼富瀵嗛挜涓嶄繚瀛樸傝В瀵嗕富瀵嗛挜闇瑕佷竴涓鐗囩殑闃堝笺傚湪杩欎釜渚嬪瓙涓紝鎴戜滑浣跨敤涓涓鐗囨潵瑙e瘑杩欎釜涓诲瘑閽ャ vault unseal ![Unsealing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Unsealing-SSH.png) -**为您的请求授权** +**涓烘偍鐨勮姹傛巿鏉** -在执行任何操作之前,连接的客户端应该被授权。授权的过程是检验一个人或者机器是不是他们说的那样,并被赋予了身份。这个身份在向Vault发送请求时被使用。 -为简单起见,我们将使用在步骤2中生成的root令牌。这个输出应该以滚动模式出现。 +鍦ㄦ墽琛屼换浣曟搷浣滀箣鍓嶏紝杩炴帴鐨勫鎴风搴旇琚巿鏉冦傛巿鏉冪殑杩囩▼鏄楠屼竴涓汉鎴栬呮満鍣ㄦ槸涓嶆槸鍍忎粬浠弿杩扮殑閭f牱锛岃璧嬩簣浜嗚韩浠姐傝繖涓韩浠藉湪鍚慥ault鍙戦佽姹傛椂琚娇鐢ㄣ備负绠鍗曡捣瑙侊紝鎴戜滑灏嗕娇鐢ㄥ湪姝ラ2涓敓鎴愮殑root浠ょ墝銆傝繖涓緭鍑轰細浠ユ粴鍔ㄦā寮忓嚭鐜般備娇鐢ㄤ竴涓鎴风浠ょ墝杩涜鎺堟潈锛 vault auth ![Authorize SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Authorize-SSH.png) -**读写保密信息** +**璇诲啓淇濆瘑淇℃伅** -现在Vault已经被设置妥当,我们可以开始使用默认的密码后端读写保密信息了。写在Vault中的保密信息被加密并被写入后端的存储。后端存储机制不会查看未加密的值,并且没有任何无需Vault即可解密的必要信息。 +鐜板湪Vault宸茬粡琚缃Ε褰擄紝鎴戜滑鍙互寮濮嬩娇鐢ㄩ粯璁ょ殑瀵嗙爜鍚庣璇诲啓绉樺瘑淇℃伅浜嗐傚啓鍦╒ault涓殑绉樺瘑淇℃伅棣栧厛琚姞瀵嗭紝鐒跺悗琚啓鍏ュ悗绔殑瀛樺偍銆傚悗绔瓨鍌ㄦ満鍒朵笉浼氭煡鐪嬫湭鍔犲瘑鐨勫硷紝骞朵笖娌℃湁鏃犻渶Vault鍗冲彲瑙e瘑鐨勬柟娉曘 vault write secret/hello value=world -当然,您接下来便可以读这个保密信息了: +褰撶劧锛屾偍鎺ヤ笅鏉ヤ究鍙互璇昏繖涓繚瀵嗕俊鎭簡锛 vault read secret/hello ![RW_SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/RW_SSH.png) -**密封您的Vault** +**瀵嗗皝鎮ㄧ殑Vault** -有一个API来密封Vault。它将丢掉加密密钥并需要其他解密过程来恢复它。密封仅需要一个拥有root权限的单独操作。这通常是一种罕见的"打破玻璃过程"的一部分。 -这种方式中,如果有一个检测到的入侵,Vault数据将会立刻被锁住,以便最小化损失。如果没有获取到主密钥碎片,它不会被再次获取。 +鏈変竴涓狝PI鏉ュ瘑灏乂ault銆傚畠灏嗕涪鎺夊姞瀵嗗瘑閽ュ苟闇瑕佸叾浠栨湭瀵嗗皝鐨勮繃绋嬫潵鎭㈠瀹冦傚瘑灏佷粎闇瑕佷竴涓嫢鏈塺oot鏉冮檺鐨勬搷浣滆呫傝繖閫氬父鏄竴绉嶇綍瑙佺殑"鎵撶牬鐜荤拑杩囩▼"鐨勪竴閮ㄥ垎銆傝繖绉嶆柟寮忎腑锛屽鏋滄湁涓涓娴嬪埌鐨勫叆渚碉紝Vault鏁版嵁灏嗕細绔嬪埢琚攣浣忥紝浠ヤ究鏈灏忓寲鎹熷け銆傚鏋滄病鏈夎幏鍙栧埌涓诲瘑閽ョ鐗囷紝鏁版嵁涓嶄細琚啀娆¤幏鍙栥 vault seal ![Seal Vault SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Seal-Vault-SSH.png) -这便是入门教程的结尾。 +杩欎究鏄叆闂ㄦ暀绋嬬殑缁撳熬銆 -### 总结 ### +### 鎬荤粨 ### -Vault是一个非常有用的应用,它提供了一个可靠且安全的存储关键信息的方式。另外,它在存储前加密关键信息,维护他的审计日志,并以租用期的方式获取保密信息,且一旦租用期过期,它将立刻收回保密信息。Vault是平台独立的,并且可以免费下载和安装。要发掘Vault的更多信息,请访问官方网站。 +Vault鏄竴涓潪甯告湁鐢ㄧ殑搴旂敤锛屽畠鎻愪緵浜嗕竴涓彲闈犱笖瀹夊叏鐨勫瓨鍌ㄥ叧閿俊鎭殑鏂瑰紡銆傚彟澶栵紝瀹冨湪瀛樺偍鍓嶅姞瀵嗗叧閿俊鎭紝缁存姢浠栫殑瀹¤鏃ュ織锛屽苟浠ョ鐢ㄦ湡鐨勬柟寮忚幏鍙栫瀵嗕俊鎭紝涓斾竴鏃︾鐢ㄦ湡杩囨湡锛屽畠灏嗙珛鍒绘敹鍥炵瀵嗕俊鎭俈ault鏄钩鍙扮嫭绔嬬殑锛屽苟涓斿彲浠ュ厤璐逛笅杞藉拰瀹夎銆傝鍙戞帢Vault鐨勬洿澶氫俊鎭紝璇疯闂畼鏂圭綉绔欍 -------------------------------------------------------------------------------- via: http://linoxide.com/how-tos/secure-secret-store-vault/ -作者:[Aun Raza][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) +浣滆咃細[Aun Raza][a] +璇戣咃細[wwy-hust](https://github.com/wwy-hust) +鏍″锛歔鏍″鑰匢D](https://github.com/鏍″鑰匢D) -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](https://linux.cn/) 荣誉推出 +鏈枃鐢 [LCTT](https://github.com/LCTT/TranslateProject) 鍘熷垱缈昏瘧锛孾Linux涓浗](https://linux.cn/) 鑽h獕鎺ㄥ嚭 [a]:http://linoxide.com/author/arunrz/ [1]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_386.zip From 5013e0e3c814990a079b3cda0e487e0ea9c18402 Mon Sep 17 00:00:00 2001 From: wwy Date: Sat, 9 May 2015 09:36:42 +0800 Subject: [PATCH 3/3] Delete 20150506 How to Securely Store Passwords and Api Keys Using Vault.md remove the source of translation --- ...tore Passwords and Api Keys Using Vault.md | 170 ------------------ 1 file changed, 170 deletions(-) delete mode 100644 sources/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md diff --git a/sources/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md b/sources/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md deleted file mode 100644 index 858197989d..0000000000 --- a/sources/tech/20150506 How to Securely Store Passwords and Api Keys Using Vault.md +++ /dev/null @@ -1,170 +0,0 @@ -Translating by wwy-hust - - -How to Securely Store Passwords and Api Keys Using Vault -================================================================================ -Vault is a tool that is used to access secret information securely, it may be password, API key, certificate or anything else. Vault provides a unified interface to secret information through strong access control mechanism and extensive logging of events. - -Granting access to critical information is quite a difficult problem when we have multiple roles and individuals across different roles requiring various critical information like, login details to databases with different privileges, API keys for external services, credentials for service oriented architecture communication etc. Situation gets even worse when access to secret information is managed across different platforms with custom settings, so rolling, secure storage and managing the audit logs is almost impossible. But Vault provides a solution to such a complex situation. - -### Salient Features ### - -Data Encryption: Vault can encrypt and decrypt data with no requirement to store it. Developers can now store encrypted data without developing their own encryption techniques and it allows security teams to define security parameters. - -**Secure Secret Storage**: Vault encrypts the secret information (API keys, passwords or certificates) before storing it on to the persistent (secondary) storage. So even if somebody gets access to the stored information by chance, it will be of no use until it is decrypted. - -**Dynamic Secrets**: On demand secrets are generated for systems like AWS and SQL databases. If an application needs to access S3 bucket, for instance, it requests AWS keypair from Vault, which grants the required secret information along with a lease time. The secret information won鈥檛 work once the lease time is expired. - -**Leasing and Renewal**: Vault grants secrets with a lease limit, it revokes the secrets as soon as lease expires which can further be renewed through APIs if required. - -**Revocation**: Upon expiring the lease period Vault can revoke a single secret or a tree of secrets. - -### Installing Vault ### - -There are two ways to use Vault. - -**1. Pre-compiled Vault Binary** can be downloaded for all Linux flavors from the following source, once done, unzip it and place it on a system PATH where other binaries are kept so that it can be accessed/invoked easily. - -- [Download Precompiled Vault Binary (32-bit)][1] -- [Download Precompiled Vault Binary (64-bit)][2] -- [Download Precompiled Vault Binary (ARM)][3] - -Download the desired precompiled Vault binary. - -![wget binary](http://blog.linoxide.com/wp-content/uploads/2015/04/wget-binary.png) - -Unzip the downloaded binary. - -![vault](http://blog.linoxide.com/wp-content/uploads/2015/04/unzip.png) - -unzipCongratulations! Vault is ready to be used. - -![](http://blog.linoxide.com/wp-content/uploads/2015/04/vault.png) - -**2. Compiling from source** is another way of installing Vault on the system. GO and GIT are required to be installed and configured properly on the system before we start the installation process. - -To **install GO on Redhat systems** use the following command. - - sudo yum install go - -To **install GO on Debian systems** use the following commands. - - sudo apt-get install golang - -OR - - sudo add-apt-repository ppa:gophers/go - - sudo apt-get update - - sudo apt-get install golang-stable - -To **install GIT on Redhat systems** use the following command. - - sudo yum install git - -To **install GIT on Debian systems** use the following commands. - - sudo apt-get install git - -Once both GO and GIT are installed we start the Vault installation process by compiling from the source. - -> Clone following Vault repository into the GOPATH - - https://github.com/hashicorp/vault - -> Verify if the following clone file exist, if it doesn鈥檛 then Vault wasn鈥檛 cloned to the proper path. - - $GOPATH/src/github.com/hashicorp/vault/main.go - -> Run following command to build Vault in the current system and put binary in the bin directory. - - make dev - -![path](http://blog.linoxide.com/wp-content/uploads/2015/04/installation4.png) - -### An introductory tutorial of Vault ### - -We have compiled Vault鈥檚 official interactive tutorial along with its output on SSH. - -**Overview** - -This tutorial will cover the following steps: - -- Initializing and unsealing your Vault -- Authorizing your requests to Vault -- Reading and writing secrets -- Sealing your Vault - -**Initialize your Vault** - -To get started, we need to initialize an instance of Vault for you to work with. -While initializing, you can configure the seal behavior of Vault. -Initialize Vault now, with 1 unseal key for simplicity, using the command: - - vault init -key-shares=1 -key-threshold=1 - -You'll notice Vault prints out several keys here. Don't clear your terminal, as these are needed in the next few steps. - -![Initializing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Initializing-SSH.png) - -**Unsealing your Vault** - -When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it. -Vault encrypts data with an encryption key. This key is encrypted with the "master key", which isn't stored. Decrypting the master key requires a threshold of shards. In this example, we use one shard to decrypt this master key. - - vault unseal - -![Unsealing SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Unsealing-SSH.png) - -**Authorize your requests** - -Before performing any operation with Vault, the connecting client must be authenticated. Authentication is the process of verifying a person or machine is who they say they are and assigning an identity to them. This identity is then used when making requests with Vault. -For simplicity, we'll use the root token we generated on init in Step 2. This output should be available in the scrollback. -Authorize with a client token: - - vault auth - -![Authorize SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Authorize-SSH.png) - -**Read and write secrets** - -Now that Vault has been set-up, we can start reading and writing secrets with the default mounted secret backend. Secrets written to Vault are encrypted and then written to the backend storage. The backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault. - - vault write secret/hello value=world - -Of course, you can then read this data too: - - vault read secret/hello - -![RW_SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/RW_SSH.png) - -**Seal your Vault** - -There is also an API to seal the Vault. This will throw away the encryption key and require another unseal process to restore it. Sealing only requires a single operator with root privileges. This is typically part of a rare "break glass procedure". -This way, if there is a detected intrusion, the Vault data can be locked quickly to try to minimize damages. It can't be accessed again without access to the master key shards. - - vault seal - -![Seal Vault SSH](http://blog.linoxide.com/wp-content/uploads/2015/04/Seal-Vault-SSH.png) - -That is the end of introductory tutorial. - -### Summary ### - -Vault is a very useful application mainly because of providing a reliable and secure way of storing critical information. Furthermore it encrypts the critical information before storing, maintains audit logs, grants secret information for limited lease time and revokes it once lease is expired. It is platform independent and freely available to download and install. To discover more about Vault, readers are encouraged to visit the official website. - --------------------------------------------------------------------------------- - -via: http://linoxide.com/how-tos/secure-secret-store-vault/ - -浣滆咃細[Aun Raza][a] -璇戣咃細[璇戣匢D](https://github.com/璇戣匢D) -鏍″锛歔鏍″鑰匢D](https://github.com/鏍″鑰匢D) - -鏈枃鐢 [LCTT](https://github.com/LCTT/TranslateProject) 鍘熷垱缈昏瘧锛孾Linux涓浗](https://linux.cn/) 鑽h獕鎺ㄥ嚭 - -[a]:http://linoxide.com/author/arunrz/ -[1]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_386.zip -[2]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_amd64.zip -[3]:https://dl.bintray.com/mitchellh/vault/vault_0.1.0_linux_arm.zip