What is hashicorp vault?
It's a cloud-agnostic secrets management system.
API-driven
It allows you to safely store and manage sensitive data in hybrid cloud environments
Used to generate dynamic short-lived credentials, or encrypt application data on the fly.
What is a secret?
Usernames and passwords
Certificates
SSH Keys
API keys
Encryption keys
What problems does vault solve?
Secrets sprawl
Below are some common places where secrets get stored:
On a developer's computer in excel or notepad files
Hard-coded into the source code.
On a sticky note under an engineer's keyboard
In a version control system such as GitHub and sometimes exposed publicly.
Vault use cases
Secrets management
- Centrally store, access, and distribute secrets.
Encrypting application data
- Keep application data secure with centralized key management
Identity-based Access
- Authenticate and access different clouds, systems, and endpoints using trusted identities.
Secret management
KV Secrets Engine
The idea is to share between the client and the vault. (A client could be a person, user, or application)
The client makes a call to the vault with a specific path(In the vault everything is path based)
Vault checks its policy for authorizing the client to share the secrets.
Encrypting Application Data
Vault provides an EAAS(Encryption as a service), also called a transit secrets engine inside the vault.
So after encrypting the application data using a vault, now the web server can use or store that data in a database for the next use cases.
Vault will not store data, only pass it back to requesting client.
Basic Vault CLI commands
Vault by itself will give you a list of many Vault CLI commands.(starts with common ones)
$ vault $ vault version # tells the version of vault $ vault read # used to read secrets from vault $ vault write #used to write secrets to vault $ vault write -h # -h, -help and --help flags can be added to get help for any vault CLI command.
Vault Server Modes
Vault servers can be run in two different modes:
Dev mode that is only intended for development.
It's not secure
It stores everything in memory
The vault is automatically unsealed
The root token can be specified before launching
$ vault server -dev -h # for help on this command $ vault server -dev -dev-root-token-id=root # checking the status of our vault server $ vault status
Never store actual secrets on a server run in "Dev" mode.
Prod mode that can be used in QA and production
Interacting with vault
$ vault kv -h
Adding secrets:
$ vault kv put secret/foo bar=baz
updating the secret
$ vault kv put secret/foo bar=baz hello=world # now you will see version=2
Reading the secret
$ vault kv get secret/foo # we will get the latest version
Deleting a secret
$ vault kv delete secret/foo # secret latest version will be deleted for specific version deletion use this flag $ vault kv delete -versions=2 secret/foo # for storing back our secret use this command $ vault kv undelete -versions=2 secret/foo
Destroying the secret permanently
$ vault kv destroy -versions=2 secret/foo
Seal and unseal concept
Vault starts up in a sealed state.
Vault can access the physical storage, but can't decrypt it.
No operations are possible with the vault except to unseal the vault and check its status of the vault.
Vault data is encrypted using the encryption key in the keyring; the keyring is encrypted by the master key; and the master key is encrypted by the unsealed key.