Store secrets in a keystore

[tsg]

The Beats configuration files tend to contain a lot of credentials, which can be problematic if the configuration files are accidentally posted online or leaked in any other way. The Beats are already strict about the file permissions of their configuration file, refusing to start if the files are writable or readable by anyone else.

The next step in protecting these secrets is to store them in a separate binary keystore, where they are at least obfuscated (true encryption might be difficult to bootstrap).

We plan to follow the Elasticsearch model started in elastic/elasticsearch#22335. We aim to align as much as possible with ES at the user interface level, meaning similar commands to manage these key stores and a similar way of referencing them in the YAML files. The actual binary representation of the keystore might be different.

[ph]

I am starting to take a look at this issue.

[tylersmalley]

@ph, I almost have a PR ready for Kibana using AES 256 GCM. Let me know if you would like to chat.

[ph]

@tylersmalley Awesome is there is a link to that code anywhere?

[tylersmalley]

@ph Here is the WIP PR: elastic/kibana#14714

[ph]

Password Keystore

We are currently defining our secrets directly in our configuration or on the command line (-E), we want to allow users to securely store the data on disk and be able to reference it in either the configuration file or the command line. After the configuration file is parsed we will have access to the concrete unencrypted values, I think this is OK for the first iteration. We want to make sure we can define secrets without having to define them in plain text on disk.

There is two type of secrets that we need to take into consideration.

1. Static credentials, that will be always valid and never changes
2. Temporary credentials that can revoked or renewed (vault)

For the first iteration we will do 1.

Implementation notes

• Secret defined in the store will be merged on top of the configuration, following this priority:
  • Config YAML
  • KeyStore
  • Command line override -E
• We assume that we are loading a local file: data/keystore
• The password for the store wont be configurable in the first iteration
• check minimal permission/mask on the keystore file
• Managing secrets will be a beats subcommand keystore that we will wrap into a beat-keystore shell script.
  • create: creates a new keystore (Need to think about different key store provider)
  • list: list entries in the keystore
  • add: add a string in the keystore
  • remove: remove a settings from the keystore
• File backend will probably need a version number, we might change the structure so we will need to upgrade from the original format.
• First version doesn't allow to set a password on the keystore
• if possible provide flexibility for future backend
• PKCS12 format
• If the key exist in both yaml and the keystore we should error out, with a warning.

High level interaction with the store

keystore := NewKeystore("~/hola.keystore", "secret-password")
keystore.Store("elasticsearch.password", "abc1234")
keystore.Save() # persist?
secret = keystore.Retrieve("elasticsearch.password")
secret.Get() => "abc1234" # I prefer not returning the primitive because of string revokation/renewal that could done in a upcoming feature, also add guard to prevent serialization to log

Steps in other PRs

• Add support for user to set a password on the keystore

• Add support for entering password on boot

• Create a SecureString type that can be used by other part of the code to access credentials, but will prevent leak to the log and can also deal with password renewal.

• Allow to have template string:
  Lets take the example or the current credentials definition:

  output.elasticsearch:
    hosts: ["localhost:9200"]
    username: "elastic"
    password: "changeme"

  We would turn this definition into something like this:

  output.elasticsearch:
    hosts: ["localhost:9200"]
    username: "elastic"
    password: %{keystore:output.elasticsearch.password}

Open questions

• Do we need to restrict who can access the store? Module A vs Module B

---

Implementation references:

Kibana:

• Adds keystore for storing settings kibana#14714

Logstash:
elastic/logstash#6892

Elasticsearch:

• Add infrastructure for elasticsearch keystore elasticsearch#22335
• https://www.elastic.co/guide/en/elasticsearch/reference/5.5/secure-settings.html
• Secure Settings elasticsearch#22475

---

@urso I think this is the high level summary of our discussion on that feature.

[ph]

forgot to ping you on this @joshbressers ^

[joshbressers]

This looks good to me. To answer your question, I wouldn't worry about restricting access to keystores. If admins want this functionality they should be running separate processes with different permissions.

[ph]

@tsg @urso Concerning the syntax in the configuration file, I've made a conscious choice to use % instead of $, to make sure we can distinct the keystore values vs the environment variables

We could also normalize the syntax for 7.X to allow user to define environment variable using the env prefix.

%{env:NAME:beats}

[tylersmalley]

Is there a reason for requiring the YAML file to reference values from the keystore? In Elasticsearch, adding a setting can either be persisted either in the elasticsearch.yml or the Keystore. I want to make sure we don't diverge too much from app-to-app.

[ph]

@tylersmalley You are right, the integration diverge from ES and your implementation, I need to give it some thoughts. We could certainly do the same things, I am a little worried about the flexibility in our context.

This doesn't change the underlying structure to keep the secret only the integration in our products.

[ph]

@tylersmalley after looking at the code we can do it the same way, it will be similar to our current behavior on -E, we can always add the parsing of theses template tag later.

[joshbressers]

I sort of like the template tag idea. I'd love to see the ability to also grab secrets from vault or some other system in the future for example.