In modern scenarios, we want to secure our system as much as possible. We don’t want to store our secret keys and certificates in the system or configurations. We need a place where we can keep our secrets with more security and access them securely whenever we need them. We can use the Vault.
Vault is the secure place to store the secrets, password, token, APIKeys of the system with the control of their access. It provides security by encrypting the keys.
2. Our Agenda
01 Why HashiCorp Vault?
02 Features of HashiCorp
Vault
03 Working of HashiCorp Vault
04 HashiCorp Vault Architecture
05 How HashiCorp Vault different from
others?
06 Demo
3. Why Vault?
Vault is the secure place to store the secrets, password, token, APIKeys of the system with the
control of their access. It provides security by encrypting the keys.
Traditional way to store the secrets/Static Infrastructure
● High trust networks
● A clear network perimeter
● Security enforced by IP Address
Vault way to store the secrets/Dynamic Infrastructure
● Low-trust networks in public clouds
● Unknown network perimeter across clouds
● Security enforced by Identity
4. Features of Vault
● Secure Secret Storage
● Dynamic Secrets
● Data Encryption
● Leasing and Renewal
● Revocation
7. Vault Architecture
● Storage Backend - A storage backend is responsible for durable storage of encrypted data. The
storage backend is configured when starting the Vault server.
● Barrier - The barrier is cryptographic steel and concrete around the Vault.
● Secrets Engine - A secrets engine is responsible for managing secrets.
● Audit Device - An audit device is responsible for managing audit logs.
● Auth Method - An auth method is used to authenticate users or applications which are
connecting to Vault.
● Client Token - A client token is a conceptually similar to a session cookie on a web site. Once a
user authenticates.
● Secret - A secret is the term for anything returned by Vault which contains confidential or
cryptographic material.
● Server - Vault depends on a long-running instance which operates as a server.
8. Vault Security
● Vault doesn’t trust the connection between client and server.
● Clients use TLS to verify the identity of the server and to establish a secure communication
channel.
● Vault uses a security barrier for all requests made to the backend. The security barrier
automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES)
cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
● Once unsealed the standard ACL mechanisms are used for all requests.
● If vault is unseal via master key then anyone can access the entire vault. Here shamir's technique
allows us to split the master key into multiple shares or parts.
● The number of shares and the threshold needed is configurable, but by default Vault generates 5
shares, any 3 of which must be provided to reconstruct the master key.
9. How Vault different from others?
There are many other options are in the industry like Chef, Puppet, HSMs, Dropbox, Consul,
Amazon KMS, Keywhiz, Custom Solutions. Let’s see that how vault is differ from those:
● Vault is not tied up with any configuration management system. We can read data via
configuration or API directly.
● Vault encrypt keys on the physical location. So we need to get multiple keys for reading the
secrets.
● We cannot access vault until unless we don’t unseal the vault.
● Vault audit the logs each and every interactions.
● Access tokens can be given fine-grained control over what secrets can be accessed.
● Vault can create the dynamic secrets.
● Vault provides the higher level policy management.
● Vault forces a mandatory lease contract with clients. All secrets read from Vault have an
associated lease which enables operators to audit key usage, perform key rolling, and ensure
automatic revocation.
10. Start server on Dev mode
● Start server on dev mode:
vault server -dev
● Dev mode start as unsealed mode.
● We can run seal and unseal commands for the seal and unseal functionality:
vault operator seal
vault operator unseal
● Vault stores data in-memory.
● Default server address is : 127.0.0.1:8200 without any TLS.
● Store root access token.
11. Why Seal/Unseal required?
Vault stores data in encrypted form. Vault needs the encryption key in order to decrypt the data.
The encryption key is also stored with the data, but encrypted with another encryption key known
as the master key. The master key isn't stored anywhere.
Therefore, to decrypt the data, Vault must decrypt the encryption key which requires the master
key. Unsealing is the process of reconstructing this master key.