Vault is a tool for securely accessing secrets like API keys and passwords. It allows for [1] generating short-term credentials to access services like AWS, [2] easy revocation of credentials, and [3] auditing of secret access. Vault uses a seal/unseal process where secrets are encrypted at rest requiring threshold of keys to unseal. The document discusses best practices like using tokens for authentication, safeguarding storage backends, and setting up high availability.
5. Vault Initial Working [CLI]
$ vault server -dev
$ vault init -key-shares=1 -key-threshold=1
$ vault unseal 69b6b254c098496eee6c6eb5d6f3aa414f66327fabf123bd4f1018a3f133b8d6
$ vault auth 10f7b1c0-f7cf-b466-c7ca-d2be9c6a442b
$ vault audit-enable file file_path=/var/log/vault/audit.log
$ vault write secret/hello value=world
$ vault read secret/hello
$ vault seal
$ vault write secret/hello value=world
Error writing data to secret/hello: Error making API request.
URL: PUT http://127.0.0.1:47876/v1/secret/hello
Code: 503. Errors:
* Vault is sealed
$ vault read secret/hello
Error reading secret/hello: Error making API request.
URL: GET http://127.0.0.1:47876/v1/secret/hello
Code: 503. Errors:
* Vault is sealed
6. App and Vault
• Always Sealed Approach
• Always Keep Vault Unsealed, and seal it if threat is realised
• Suggested by Vault
• Always UnSealed Approach
• App deployment/ reload
• Reload Waits for unsealed vault state
• Release Engineer ( automation ) unseals vault
• Automated Re-Sealing via App/release script.
7. Secure Distribution of Keys
• Most Vulnerable at Key Generation.
• Encrypt Keys with openPGP standard
• $vault init -key-shares=3 -key-threshold=2 -pgp-
keys="keybase:a,keybase:b,keybase:c
8. Best Practices
• Use Tokens for Authentication. Its the only inbuilt ACL
• Use CubbyHole Storage Backend. Custom Backends are not
pluggable yet
• Safeguard Storage Backend
• Use encrypted AWS EBS with AWS KMS
9. High Availability
• Vault Support Cluster Setup.
• High Availability Backend such as Consul or Mysql HA.
10. OutSide Vault Threat Model
• Algo and Protocol Vulnerabilities : Shamir’s , HTTP(S)
• 3rd Party Storage Backends do not contribute in Security
• Instance, OS Vulnerabilities.