Reputation: 3571
Where should I store Vault's Unseal Key and Root Token?
Where should I store the Unseal Key and Root Token for HashiCorp Vault?
The Vault will be used by various members on the team.
Upvotes: 17
Views: 6123
Answers (1)
Reputation: 1379
In best-practice usage, you wouldn't be storing a root token - once done with it, it should be revoked.
Root tokens are useful in development but should be extremely carefully guarded in production. In fact, the Vault team recommends that root tokens are only used for just enough initial setup (usually, setting up auth methods and policies necessary to allow administrators to acquire more limited tokens) or in emergencies, and are revoked immediately after they are no longer needed.
If a new root token is needed, the operator generate-root command and associated API endpoint can be used to generate one on-the-fly.
Unseal keys should be distributed amongst trusted people, with nobody having access to more than one of them.
This then requires more than one person to restart vault or to gain root access to it.
The documentation doesn't suggest any good hiding places for the individual unseal keys that I could find - I'd suggest wherever you normally store passwords, ie a password manager.
For day-to-day usage, users can log in using the user/pass or ldap auth backends.
Upvotes: 18
Related Questions
- How to store secrets of a Spring Boot application in HashiCorp Vault securely?
- Manually Creating a Root Token in Vault (the hard way)
- "brew services start vault", but what's the unseal key and root token?
- Single use secret in Hashicorp vault
- How To Store and Retrieve Secrets From Hashicorp Vault using Docker-Compose?
- How can I use Hashicorp Vault to manage my application secrets?
- Vault: how to create an secret-id
- Hashicorp Vault client best practise
- services accessing a secret store
- HashiCorp Vault sealing questions