Reputation: 421
How can I use Hashicorp Vault to manage my application secrets?
I'm very excited by the offerings of Hashicorp Vault but I'm having trouble wrapping my head around how it fits into our present architecture. The need to manually unseal the vault with every deployment is a great benefit to security, no doubt, but how are applications meant to react when the Vault is initially sealed?
For instance, if application A depends on a database credential generated by Vault in order to initialize, how is this application meant to react when it is deployed while Vault is sealed? Spin-wait while checking for the sealed status?
Additionally, how are other people pre-populating Vault with certain secrets in production? For instance, we have an authentication server that depends on a single consistent system secret that it must fetch from Vault at startup. How can I securely ensure that this secret is available after deploying Vault?
For the record, we are deploying Vault with some other services using docker-compose and ecs compose for deployment.
Upvotes: 4
Views: 1280
Answers (1)
Reputation: 313
It is not necessary to seal your vault between deployments. Vault requires an unsealed vault to renew leases, read secrets, create credentials etc. The vault is secured with authentication and authorization during normal use.
You should seal your vault when a significant intrusion has been detected. Sealing the vault helps minimize damages by throwing away the reconstructed master key. This prevents Vault from operating until the risk has been mitigated. Sealing does not revoke credentials that were issued by Vault.
You also asked about importing pre-existing secrets and how to "securely ensure that this secret is available after deploying Vault?":
You should issue write commands for your pre-existing secrets to import them after the vault has been unsealed. You can securely ensure that the secret exists by reading it. Read and write operations are generally secure when using the CLI or API.
$ vault write secret/single-consistent-system-secret value=secret-stuff
Success! Data written to: secret/single-consistent-system-secret
$ vault read secret/single-consistent-system-secret
Key Value
lease_duration 2592000
value secret-stuff
Upvotes: 4
Related Questions
- Hashicorp Vault container don't save my secrets on local volume when I restart docker compose
- Local Vault using docker-compose
- How to add vault secrets to kubernetes env vars?
- Authenticating Vault inside a script in your container
- Running HashiCorp Vault in root-less docker container
- How To Store and Retrieve Secrets From Hashicorp Vault using Docker-Compose?
- Hashicorp Vault configuration file with default secret path (v1)
- Adding secrets to a vault container at startup
- Secret management through vault in docker containers
- How to get a secret from HashiCorp's Vault HTTP API into a docker container?