Lightweight Security Key Management

This Case + Code will outline how to use HashiCorp Vault^® to manage the life cycle of your system’s pre-shared key seeds.

This guide assumes some familiarity with RTI Security Plugins. If you’re still getting started, here are some resources:

• Security Plugins Installation Guide
• Security Plugins Getting Started
  
  

Creating a Secret & Configuring HashiCorp Vault

We’ll begin by creating a Secret that will be used as our PSK Seed for lightweight security in HashiCorp Vault. There are many ways to do this, as outlined in the HashiCorp Vault documentation here. For simplicity we’ll create one through the Web UI:

HashiCorp Vault uses key-value pairs to store Secrets. You can use OpenSSL to generate a random seed with the openssl rand -base64 32 command and copy the result from your terminal window into HashiCorp Vault. This will be used as the PSK seed.

This is also where you can rotate the PSK Seed through the web interface. If you want to automate this rotation – for example, by generating a new PSK Seed every hour – then you can use the HashiCorp Vault API (see the API call using cURL tab) to programmatically update the vault at a fixed interval by using a scheduler like cron.

Now that the pre-shared key seed that we want to use is in the vault, we need to create a policy that allows the pre-shared key seed to be read:

Lastly, you need to set up an authentication method that allows you to authenticate with Vault with the policy we just created. See the HashiCorp Vault documentation on how to do so here. Remember to take note of your RoleID & SecretID so that you can retrieve the Secret later on.

These policies and authentication methods are also how you control which clients can access the vault in case you need to revoke access.

Getting the Secret Onto Your Device

Now that we have finished configuring HashiCorp Vault, let’s get the Secret onto our machine so that the Connext applications can use it. 

First, set your environment variables:

export VAULT_ADDR="<address to your vault instance>";
export VAULT_NAMESPACE="admin"

Then, Authenticate to Vault using AppRole and save the resulting client token to interact with the cluster.

export VAULT_TOKEN=$(curl -s --header "X-Vault-Namespace: $VAULT_NAMESPACE" \
    --request POST --data '{"role_id": "<your role id>", "secret_id": "<your secret id>"}' \
     $VAULT_ADDR/v1/auth/approle/login | jq -r '.auth.client_token' )

Now, we can use the HashiCorp Vault API to get the Secret.

curl -s --header "X-Vault-Token: $VAULT_TOKEN"     --header "X-Vault-Namespace: $VAULT_NAMESPACE"     $VAULT_ADDR/v1/secret/data/connext-lws-psk | jq -r .data.data.psk

To write the PSK seed to a file, append > psk.txt, like so:

curl -s --header "X-Vault-Token: $VAULT_TOKEN"     --header "X-Vault-Namespace: $VAULT_NAMESPACE"     $VAULT_ADDR/v1/secret/data/connext-lws-psk | jq -r .data.data.psk > psk.txt

Configuring Connext to Use the PSK Seed

Start by generating a basic publisher-subscriber example with rtiddsgen. There are two approaches you can take to configure the applications to use the PSK Seed: either by updating the dds.sec.crypto.rtps_psk_secret_passphrase programmatically, or through XML.

To use XML, add the following snippet to your QoS profile:

<domain_participant_qos>
               <property>
                   <value>
                       <element>
                           <name>dds.sec.crypto.rtps_psk_secret_passphrase</name>
                           <value>file:psk.txt</value>
                       </element>
                   </value>
                 </property>
           </domain_participant_qos>

For more information, refer to the Chapter 6 - Cryptography & Chapter 16 - Pre-Shared Key Protection of the RTI Security Plugins User’s Manual.

Follow the steps in the generated README file to compile the example.

Follow the steps in the README file to run the examples. The applications will communicate using the pre-shared key in the file.

To update the PSK while applications are running, simply change the Secret in HashiCorp Vault, and use the previous instructions to update the text file containing the pre-shared key. By default, Connext will poll the file every 5 seconds to check for an updated key. To modify this, use the files_poll_interval property, described in Table 4.2.

To avoid saving the PSK Seed to a file, your application can also call the cURL commands above in the Getting the Secret Onto Your Device section during setup directly, and then set the QosPolicy programmatically.

This Case + Code explains how to use HashiCorp Vault to manage the lifecycle of your system’s pre-shared key.

Post questions on the RTI Community Forum.

Check out more of the Connext product suite and learn how Connext can help you build your distributed system. If you haven't already, download the free trial.