Co-founder and senior consultant, Michael Greenlaw, had the opportunity to present at HashiTalks: Secure in February of 2023. His presentation addressed “HashiPass – Vault and Boundary; Managing Secrets at Home” which was a dissection of the ways that you can be better aware of your security when it comes to access and password management. He presented the subject with his trademark calm demeanor that continues to win over his clients and earn their trust. His quiet confidence was translated as he spoke on HashiCorp products Vault and Boundary and the coding process of experimenting with what can be accomplished with an exploration of the boundaries of Boundary.
What are Vault & Boundary?
Vault is an identity-based secrets and encryption management system. A secret can be anything you want to protect, such as passwords, JWTS, API keys, etc. Vault encrypts these secrets using different methods of authentication and authorization. This means that Vault is one of the first lines of defense in protecting your secure information. It’s able to validate identities against trusted third-parties, and it authorizes access to keys, secrets, and more. Boundary is a tool that provides secure, zero-trust access to managed infrastructure. It allows secure access to hosts and critical systems, without having to distribute or manage credentials.
So what does this mean? Boundary is acting as its name suggests, as a barrier to protect entrance and track exit to various remote systems or hosts. Michael presents the conundrum of being in an age where nearly everything accessible online requires some form of password or another. Which makes sense, as part of the zero-trust approach is to make sure that everything requires authentication and access authorization based on user and role. But he uses the anecdote of his father to showcase how there can be compromise in plain sight in our attempts to protect everything done online as well.
Preventing Password Management Mayhem
As his father attempted to be safe during his retirement, he asked for help on how to secure his information that would now be on the computer. Michael suggested a password management system, but alas, this did not protect his family fully against a hacking incident. This brought Michael to the question: “What can I do to help my family be safe?” The solution that he’s hoping to come up with would be “HashiPass”. This working theory of safeguarding your data works off the HashiCorp products that can be used in business and in the home. This system would need to be scalable for business from a start-up level to a larger company model and it would need to be usable in the home for tech-savvy cybersecurity professionals and their sometimes less technologically aware parents alike. The focal points of this process are that it should be cheap, simple, scalable, secure and of course, follow the zero-trust security approach. The thought process behind this was to create something with a one-click run, something that’s quick and easy to automate.
He leveraged Terraform, EKS, and helm to create a one-click solution. Terraform created the VPC, EKS cluster, bastion host and ALB, then applied helm charts to stand up Boundary and Vault. Vault would sit on the EKS cluster with traffic being forwarded through the ALB, while secrets would be obtainable through the CLI and GUI functionality of Vault. The Bastion host would be used to port forward traffic from the localhost to the ALB.
This brought Michael and his team to Boundary as using a PEM key isn’t a zero-trust solution. They needed a cheap IdP with OIDC authentication which led them to Auth0. The benefits to using Auth0 were that for the most part, it was able to work with the following points; it’s cheap, it works with Boundary, it integrates with YubiKey, it can handle MFA and the management can be done in Terraform. Boundary workers and controllers are created in Terraform. Then you can configure users, scopes, roles, groups, and backend servers. There is an auth method in the code which leads to the Auth0 terraform module for Boundary authentication. This means that he was able to set up his user in Auth0 and then add it into Terraform, where the user would then be able to authenticate directly into Boundary. While the initial plan was missing workers, the second iteration rectified this, but what happened is that the infrastructure started to continually grow and become complicated as they introduced the idea of adding another ALB before Boundary and maintaining the one in front of Vault, where Boundary is in essence acting as a Bastion.
Lessons of The Well Worn Path
In the end, Michael and his team decided to use a scaled down version of the recommended high availability (HA) environment. This non-dev HA environment best served their needs after their extensive testing of the boundaries of Boundary. There’s a Boundary client, there’s an application load-balancer in front of controllers and access to your workers, which in turn, gives you your session with your back-end application. Moving forward, they’re working on the EKS aspect of this with the hopes of adding a custom webpage to the front of Vault.This would make it much more user-friendly. The pit-falls of the solution in place are that authentication solutions will likely increase cost. Using Auth0 with a basic MFA plan can surpass $100 monthly and scale rapidly from there. It also lacks the simplicity that they set out for, and doesn’t come with the bells and whistles that come with common password managers like autofill and sharing. In the end, the quest continues with a few lessons learned along the way. Michael’s father will likely resort to using an OpenVPN server with a Vault instance in a private subnet. The quick and easy solution is not as safe but it works for now. Michael and his team have not given up on their explorations of what critical next steps can be taken in pushing for a new and more secure form of password management in the future.
You can catch the full presentation here: HashiTalks: Secure Starting at the 1:12:41 mark.