Hashicrop
VAULT

What is Vault

Vault is a tool for securely accessing secrets.

A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates.

Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

Go programmed, just one binary file.

Open Source - Enterprise - Enterpise Modules

https://www.hashicorp.com/products/vault/enterprise

Features

Secure Secret Storage: Arbitrary key/value secrets can be stored in Vault. Vault encrypts these secrets prior to writing them to persistent storage, so gaining access to the raw storage isn't enough to access your secrets. Vault can write to disk, Consul, and more.
Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and Vault will generate an AWS keypair with valid permissions on demand. After creating these dynamic secrets, Vault will also automatically revoke them after the lease is up.
Data Encryption: Vault can encrypt and decrypt data without storing it. This allows security teams to define encryption parameters and developers to store encrypted data in a location such as SQL without having to design their own encryption methods.
Leasing and Renewal: All secrets in Vault have a lease associated with them. At the end of the lease, Vault will automatically revoke that secret. Clients are able to renew leases via built-in renew APIs.
Revocation: Vault has built-in support for secret revocation. Vault can revoke not only single secrets, but a tree of secrets, for example all secrets read by a specific user, or all secrets of a particular type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

Use cases

General Secret Storage

At a bare minimum, Vault can be used for the storage of any secrets. For example, Vault would be a fantastic way to store sensitive environment variables, database credentials, API keys, etc.

Employee Credential Storage

While this overlaps with "General Secret Storage", Vault is a good mechanism for storing credentials that employees share to access web services. The audit log mechanism lets you know what secrets an employee accessed and when an employee leaves, it is easier to roll keys and understand which keys have and haven't been rolled.

API Key Generation for Scripts

The "dynamic secrets" feature of Vault is ideal for scripts: an AWS access key can be generated for the duration of a script, then revoked. The keypair will not exist before or after the script runs, and the creation of the keys are completely logged.

Data Encryption

In addition to being able to store secrets, Vault can be used to encrypt/decrypt data that is stored elsewhere. The primary use of this is to allow applications to encrypt their data while still storing it in the primary data store.

SRE Use cases

General Secret Storage

At a bare minimum, Vault can be used for the storage of any secrets. For example, Vault would be a fantastic way to store sensitive environment variables, database credentials, API keys, etc.

Credentials SSH servers

CA Key server for certificate SSH keys with revocation

API Key Generation for Scripts

The "dynamic secrets" feature of Vault is ideal for scripts:
Infraestructure as code

Storage Backend - A storage backend is responsible for durable storage of encrypted data. The storage backend is configured when starting the Vault server (Consul)
Barrier - The barrier is cryptographic steel and concrete around the Vault.
Paht Routing - Everything is a path.
Secrets Engine - A secrets engine is responsible for managing secrets: read/write/delete/list
Auth Method - Used to authenticate users or applications which are connecting to Vault (Github)
Audit Device - An audit device is responsible for managing audit logs.
Client Token - A client token is a conceptually similar to a session cookie on a web site. Once a user authenticates.
Secret - A secret is the term for anything returned by Vault which contains confidential or cryptographic material (KV + SSH + AWS)
Server - Vault depends on a long-running instance which operates as a server (Cluster)

Vault Architecture

Vault doesn’t trust the connection between client and server. Clients use TLS to verify the identity of the server and to establish a secure communication channel.
https://www.vaultproject.io/docs/concepts/auth.html

Vault uses a security barrier for all requests made to the backend.
The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces.
Seal/Unseal: If vault is unseal via master key then anyone can access the entire vault. Here shamir's technique allows us to split the master key into multiple shares or parts.
https://www.vaultproject.io/docs/concepts/seal.html
Once unsealed the standard ACL mechanisms are used for all requests. (fine grained privileges)
https://learn.hashicorp.com/vault/getting-started/policies

Vault Security

There are many other options are in the industry like Chef, Puppet, HSMs, Dropbox, Consul, Amazon KMS, Keywhiz, Custom Solutions.

Vault is not tied up with any configuration management system. We can read data via configuration or API directly.
Vault encrypt keys on the physical location. So we need to get multiple keys for reading the secrets.
We cannot access vault until unless we don’t unseal the vault.
Vault audit the logs each and every interactions.
Access tokens can be given fine-grained control over what secrets can be accessed.
Vault can create the dynamic secrets.
Vault provides the higher level policy management.
Vault forces a mandatory lease contract with clients. All secrets read from Vault have an associated lease which enables operators to audit key usage, perform key rolling, and ensure automatic revocation.