Introduction of Vault
HashiCorp’s Vault is a very popular tool which is used to manage secrets securely. Before understanding about Vault, we need to firstly understand what are secrets and why they need to be stored securely. Secret is anything that is used in authorization or authentication. For example, usernames, passwords, DB credentials, API keys, etc. The problem with secrets is to manage them securely.
Let us understand the problem in much more depth.
Consider an e-commerce application which needs to interact with the database. It obviously require DB credentials for the same. In order to provide these credentials to the application, the most simple approach is to store them in a configuration file and load them at the time of startup. But the problem is that this sensitive information is stored in plain text as a part of our code and anyone with the access of our code can see and use them. In a better approach we can store this information in encrypted form. But still we will require a decryption key in order to decrypt and use it. Now, the problem still remains the same, where should we store this decryption key ?
Also, there’s always the “Secret sprawl problem”. It means that these secrets are actually present and stored at multiple places like in our source code, properties file, version control system. It is also difficult to rotate the secrets if they are hard coded. If these secrets are present in the VCS then anyone with the access can see it and we can’t know who has used it or whether have used it or not. This is where Vault comes at the rescue and deals with all these problems and hence, manages the secrets efficiently and securely.
Key features of Vault:
Vault solves the secret sprawl problem by centralizing the secrets i.e. all the secrets are now stored inside the vault instead of the source code, properties file, version control system. It also provides security to it by storing them in encrypted form and also encrypting them in the transit between Vault and the application. Whenever we store any new secret in Vault, it firstly encrypts it, stores it and then generates the master key for the decryption key. This master key is not stored anywhere in Vault and is returned to the user in parts. You need to provide the threshold parts of this master key to the Vault in order to unseal it and if you fail to provide so, your secrets are lost forever. In this way, even Vault itself can’t access your secrets.
- Audit Control:
Vault keeps your secrets safe but your application might not. Every application logs every detail of any happening in the log files and in this process it might also log the secrets which can be vulnerable to threat. Anyone having access to these log files may misuse the secrets. Vault provides audit control for this purpose and it audits every usage of secret by each application and uniquely identifies which application has used which secret and when. So if any compromise takes place on any secret, instead of bringing down all the applications, you can identify the point of compromise and only shut down that application.
- Dynamic Secrets:
Vault provides dynamic-secrets. So, instead of long-lived secrets, it provides short-lived credentials to the applications which are dynamically created. In the case of compromise, we can reduce the duration of vulnerability. Each credential is unique to the service and hence, we can know which service has compromised the credentials.
- Encryption as a Service:
It is very difficult for the applications to correctly implement the cryptographic algorithms. Hence, Vault provides encryption of the normal data of the applications and applications can focus on the business logic of the service.