Vault
Why use Vault
HashiCorp Vault helps organizations implement a complete security lifecycle management system. Vault allows you to store, manage, and retrieve secrets, generate on-demand credentials to common platforms such as Amazon Web Services, Google Cloud Platform, Kubernetes, and Microsoft Azure, manage common Private Key Infrastructure (PKI) workflows, and encrypt data for applications in transit and at rest.
In this set of tutorials, you will follow the HashiCups organization as they investigate their need for a security lifecycle management solution. You will implement a proof of concept to understand why you should use Vault.
This collection is designed to help you learn Vault and apply various concepts to your environment. If you are already familiar with what Vault can do, use the left navigation menu to go to any of the other tutorials to learn more about specific features.
Scenario
HashiCups produces and sells its coffee cups at both retail locations and through its online store, supporting both a web application and mobile application. There is concern at HashiCups over the rise in security attacks. The platform team is working together to enhance the security posture of its multi-cloud environment, and various applications, to ensure customers personal information is secure from attacks. They have gathered their requirements to help identify potential solutions.
Armon from HashiCorp comes to give an introduction to Vault.
The CTO and CISO have presented the following business and technical requirements to the engineering teams:
- Encrypt all customer data in transit and at rest.
- Restrict access to cloud environments to only those people or services that require access to operate the business.
- Time box access to the cloud environments.
- Allow teams to securely store API keys, passwords, certificates, etc.
- Any new solution must have disaster recovery support.
- Ability to scale any new solutions to meet increase business demand.
- Not isolated to any specific cloud service provider.
The team has several groups who will work together on both reviewing potential solutions, and later implementing the selected solution(s).
Click on each tab to learn more about the teams and their responsibilities.
Alice leads the engineering architect teams. The architect teams:
- Understand system, resource, and connectivity requirements for all users and applications
- Identify supported services within the solution that other users, and systems will use to authenticate
- Compare and contrast features and functions available in any proposed solution
- Design implementation process, including support for high availability, disaster recovery, observability, and support runbooks
- Create as-built documentation to hand off to other teams
Challenges you can solve with Vault
You can use Vault to secure, store, and control access to tokens, passwords, certificates, and encryption keys for protecting secrets and other sensitive data.
HashiCorp reviews each business and technical challenge faced by HashiCups, and shows how Vault can help solve them.
Data encryption
At HashiCups, all customer data must be encrypted at rest and in transit.
The platform team can use Vault secrets engines to meet these challenges.
Secrets engines solve for a range of challenges around encryption of data at rest, in transit, and generated from external systems like database servers.
To handle encryption of data at rest, the team can use the versioned key/value (kv) secrets engine. Data is stored as key/value pairs and encrypted within the configured physical storage for Vault.
An instance of the versioned kv secrets engine can retain a configurable number of secret versions. This enables retrieving the data from older secret versions in case of unwanted deletion or updates of the data. In addition, its check-and-set (CAS) operations can be used to protect the data from being overwritten unintentionally.
To encrypt data in transit, the team can use the aptly named transit secrets engine. You can think of the transit secrets engine as a form of "encryption as a service". While it handles cryptographic functions on data in-transit, it does not store any data sent to the secrets engine.
Access control
Restricting access to cloud environments to just those people or services that require access to operate the business is critical to operations at HashiCups.
Vault provides a rich collection of access control capabilities, including access control list policies (ACL policies), control groups, and Sentinel policies.
In addition to policies, Vault can also manage dynamic credentials for their cloud environments, eliminating the need for long live static credentials.
- ACL policies provide a declarative way to grant or forbid access to certain paths and operations in Vault.
- Control groups add additional required authorization factors which must be met before Vault satisfies a request.
- Sentinel policies enable sophisticated logic for enhanced access control in the form of Role Governing Policies (RGP) tied to particular tokens, Identity entities, or Identity groups, and Endpoint Governing Policies (EGP), which are tied to particular paths instead of tokens.
Time boxed access
In keeping with the best practice of limiting secret lifetimes, the platform team requires time boxed access to their cloud environments.
Vault meets this requirement through time-to-live (TTL) values associated with the credentials and leases it manages.
When a user authenticates to Vault with the username and password auth method using a predefined role, they receive a Vault token with an attached set of TTL values. When no renewal occurs or is possible and the TTL associated with the credential expires, Vault automatically revokes the credential.
In the same way, you can attach leases to dynamic secrets. For example, when using a database secrets engine, you can assign a role to a secrets engine instance that specifies a default TTL for all dynamic secrets issued from the role. When that TTL is reached, Vault automatically revokes the secret.
Disaster recovery support
HashiCups business requirements state that any new solution must have disaster recovery support.
Vault Enterprise supports disaster recovery through automated integrated storage snapshots, integrated storage auto-pilot, and disaster recovery replication.
Automated data snapshots offer Vault operators a way to schedule multiple independent snapshots of Vault server data, which can be stored locally or in popular cloud storage solutions.
Integrated storage autopilot simplifies and automates cluster management with integrated storage, and includes cluster node health checking, server stabilization for unstable or newly-added cluster nodes, and cleanup for failed nodes.
Disaster recovery (DR) replication enables a primary cluster to replicate data to secondary clusters. Secondary clusters essentially act as a warm standby cluster, but do not forward service read or write requests until they are promoted, and become a new primary cluster.
Performance scaling
The team needs to scale any new solutions to meet increased business demand going forward. Vault Enterprise offers scaling solutions in form of performance standby nodes and performance replication.
Performance standby nodes are designed to enhance horizontal scalability of read requests within a single Vault cluster. For example, performance standbys can handle encryption or decryption of data with Transit Secrets Engine, GET requests of key/value secrets, and other requests that do not change underlying storage.
Performance replication enables highly available and scalable use cases to meet the team's needs as the number of clients and their functional needs increase.
Vault use can be scaled over several geographic regions to offer ideal performance and data locality. At the same time, operators can enable a common set of globally enforced access control policies, along with a consistent set of secrets to applications that need to interoperate.
In Performance Replication, there is a primary cluster and there are secondary clusters which replicate data from the primary. The secondary clusters mirror the configuration of the primary cluster and can handle client requests, but do not mirror the Vault authentication tokens and leases of the primary.
Identity-based security
Vault helps your teams automate access to secrets by deeply integrating with trusted application, machine, and user identities.
The idea of identity is to maintain the clients who are recognized by Vault. As such, Vault provides an identity management solution through the identity secrets engine.
Each user may have multiple accounts with various identity providers, and Vault supports many of those providers to authenticate with Vault. Vault Identity can tie authentications from various auth methods to a single representation. This representation of a consolidated identity is called an Entity and their corresponding accounts with authentication providers can be mapped as Aliases.
Secrets sprawl
A common anti-pattern in secrets management is secrets sprawl.
When you keep secrets in a number of disparate systems, each potentially involving their own identity and authentication for access, operational efficiency is reduced and maintenance needs increase.
Vault can deliver a big win for your organization by helping your security teams reduce secrets sprawl with centralized storage, management, and access through familiar authentication solutions.
Cloud and vendor agnostic
HashiCups is looking for a solution that is not specific to any one cloud service provider. There are multiple deployment options for Vault, and Vault supports secrets management and authentication for many different providers.
You can deploy Vault on bare-metal, virtual machines, or containers. You can also install Vault on-premises, in a cloud provider, or as a managed service.
Human and machine authentication
Vault enforces authentication as part of its request processing with auth methods.
Auth methods are Vault plugins which perform authentication and are responsible for assigning identity and a set of policies to a user. Vault supports a range of auth methods for both human and machine users.
Examples of human auth methods include GitHub, LDAP, and userpass.
In most cases, Vault delegates the authentication administration and decision to the relevant configured external auth method (e.g., Amazon Web Services, GitHub, Kubernetes, and others).
Examples of machine auth methods include AppRole, AWS, Kubernetes, and TLS.
The HashiCups team can support their human users by enabling username and password based authentication to Vault with an instance of the userpass auth method.
The team can also handle machine based authentication for their Kubernetes workloads with the Kubernetes auth method, which allows those workloads to authenticate to Vault without requiring any human intervention.
Secrets engines for static and dynamic secrets
Secrets engines are plugins which store, generate, or encrypt data. Secrets engines manage and return two types of secrets - static and dynamic secrets.
Static secrets do not expire. Changing a static secret is a manual process, and not expected to change for a long time. They are rarely, if ever rotated.
Examples of static secrets include 3rd party tokens, API keys, application keys, PKI certificates, PGP keys, encryption keys, usernames, and passwords. The KV secrets engine stores and manages static secrets.
Dynamic secrets creation occurs on demand and revocation occurs after a predetermined amount of time. Dynamic secrets do not exist until requested, which greatly reduces the chances of abuse. They are also not held in storage. Revocation of the secret occurs based on the secrets engine configuration limiting the amount of time that it is available.
Dynamic secrets usually integrate with a 3rd party platform that receives requests from Vault to generate the credentials.
Examples of dynamic secrets include database keys, cloud provider credentials, any short lived secrets.
Some Secrets engines also handle data in transit. The transit data engine does not store data, but handles encryption and decryption of data.
Explore Vault
To help the team at HashiCups get hands on with Vault, HashiCorp has built a demo environment to experience some of Vaults features before they start their POC.
Launch Terminal
This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.
Summary
Vault provides solutions to the challenges HashiCups is facing. Throughout this Vault foundation tutorials, you will learn about Vault's core concepts, processes, and tools to see how Vault can help HashiCups implement the requirements set out by the business leaders.