Scribd
Upload
90 views

Vault Part 2 Concepts

This document provides an overview of key concepts for using and operating Vault, including: 1) Dev server mode which allows experimenting with Vault without further setup and stores all data in memory. 2) The seal/unseal process where Vault starts in a sealed state and needs to be unsealed to decrypt its storage. 3) Lease renewal and revocation, where secrets and auth tokens have a time-to-live and Vault checks for renewal. 4) Tokens which are used to authenticate to Vault and can be generated, revoked, and renewed.

Uploaded by

biliba
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
90 views

Vault Part 2 Concepts

This document provides an overview of key concepts for using and operating Vault, including: 1) Dev server mode which allows experimenting with Vault without further setup and stores all data in memory. 2) The seal/unseal process where Vault starts in a sealed state and needs to be unsealed to decrypt its storage. 3) Lease renewal and revocation, where secrets and auth tokens have a time-to-live and Vault checks for renewal. 4) Tokens which are used to authenticate to Vault and can be generated, revoked, and renewed.

Uploaded by

biliba
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

OVERVIEW

Overview of concepts that are important to understand for day

to day vault usage and operations.

These notes follow HashiCorp specific structure found here:

http://www.vaultproject.io/docs/concepts

I have created these notes as part of my personal learning and

hope to be able to help and inspire others.

I would recommend viewing the official vault docs to gain full

and detailed explanations.

I will be releasing interactive notebooks for all configuration

detailed in these guides .

Follow my instagram @adnans_techie_studies for updates

DEV SERVER MODE

COMMAND

INSECURE AND DEV VAULT SERVER DEV

LOSE DATA ON
a
MODE
v

RESTART

NO FURTHER SETUP

ALLFEATURESAVAILABLE

EXPERIMENT WITH VAULT

NO NEED TO UNSEAL

ALL DATA STORED IN MEMORY

BOUND TO LOCAL ADDRESS WITHOUT TLS

AUTO AUTHENTICATE

SINGLE UNSEAL KEY

V2 KU SECRET ENGINE

SEAL UNSEAL


a VAULTCAN SEE
VAULT
starts.ws SEALED canSEE BUT

STARTED STATE STORAGE



UNABLETODECRYPT

How

UNSEAL

OBTAIN MASTER

KEYTO READ

DECRYPTIONKEY To DECRYPT DATA

WHY s DATASTOREDBYVAULTIS ENCRYPTED


SHARED

NEED SHAMIR

v KEYS

ENCRYPTION KEY To DECRYPT

Is COMBINED

50 STOREDWITH KEY

IN

DATA
i KEYRING

ENCRYPTEDWITH
ENCRYPTED

ENCRYPTED

MASTERKEY ENCRYPTED AGAIN MASTER KEYRING

But
www

VAULTSTORAGE

UNSEALKEY

UNSEALING s VAULT OPERATORUNSEAL 012 API

ONCEUNSEALED
SEALING wine THROWAWAY THEN UNSEAL
MASTERKEY process

REMAINSUNSEALED UNLESS

THESE
CAN BEDONE

x x x
BYROOT

RESEALVIA API SERVERRESTART VAULTSTORAGE

UNRECOVERABLE
ERROR

SEALMIGRATION

from

DELEGATE TO use AUTO To


REDUCEOPERATIONAL KMSSEAL SHAMIRSEAL

SERVICE COMPLEXITY OF

UNSEAL SHAMIRSEAL s KMSSEAL


UNSEALKEYS

KMSSEAL KMSSEAL

KMS
initialisation
v AND

SHAMIRKEYS CALLED RECOVERY

GENERATED
KEYS

REQUIRES DOWNTIME

LEASE RENEW AND REVOKE

DYNAMIC SECRET

AND Has LEASE IE


s REVOKED THEN NO FURTHER

SERVICETYPE Has RENEWAL

AVTHTOKEN r

TTL

AND

CHECKS WITH

VAULT REGULARLY to AUDIT LOCTS

LEASEID is
USEDTOMANAGE LEASE DURATION

LEASEOFSECRET fakes

INCREMENT

is

FROMTHETIME OF REQUEST

AND BACKEND CAN IGNOREIT

PREFIXBASED HAS
ABILITY TO REVOKE REVOKE

REVOCATION can

MULTIPLESECRETS TREE

SECRETS

IF

GITHUB INTRUSION WITHIN

0 AUTH
SPECIFICSYSTEM

METHODS s LDAP

CLIENT AppROLE

ENABLE

BEFORE AUTHENTICATION

USE

TOKENS first VERIFY THEN GENERATE ASSOCIATE TOKEN

IDENTITY

USEDFor

VAULT REVOCATION AND RENEWAL

LOGIN

LEASE ASSOCIATED REAUTH AFTERAGIVENPERIOD

TOKENS

TOKEN TOKENAUTH

STORE BACKEND

ROOT R FlA can Do 1 is

TOKENS Lt ANYTHING
RESPONSIBLE FOR
CREATING ANDSTORING

TOKENS

SETTONEVER AND
EXPIRE CANNOT BEDISABLED

EEE'm
ME

ftp.rnLEE formT
azfEoYofEE

GENERATE WITHPERMISSION of Quorum UNSEALKEY

SHOULD HOLDERS
ONLY BEUSED

FORINITIALSETUP

OR

EMERGENCY

TOKEN HOLDER TOKEN SERVICE

CREATETOKEN TYPES f

CHILD TOKEN NORMAL TOKENS

TOKEN
CHILD

PARENT

REVOKES

ALL

BATCH

OR

ORPHAN TOKEN ENCRYPTED


VAULT

BLOBS ACTIONS

NO PFRENT REQUIRE

NO STORAGE

REVOKETHETOKEN

TOKEN TOKEN ACCESSOR

RENEWTHETOKENh CREATEDAND

Accessors CREATED

RETURNED

LOOKUPTOKEN TOKEN CAPABILITIES

PROPERTIES

EXAMPLE

USE ANOTHER

SERVICE
CREATES service JOB ID JOB COMPLETE

TOKEN

STORES ACCESSOR REVOKEWHEN

AND FINISHED

TOKENS CONTINUED

GENERAL IF NO IT IS COMPARED TO

MAX TTL

EXPLICIT TTL

TOKENS

MAX TTL SYSTEM MAYTTL

COMBINATION

EXPLICIT HARD IGNORES VALUE SET a


32 DAYS

TTL LIMIT 134AUTH v


BASEDON
METHOD MOUNT CANOVERRIDE

THESYSTEMMAX

SYSTEMS PERIODICALLY PERFORM TASK

PERIODIC LONG RUNNING 502 CONNECTION

TOKENS SERVICES POOL

OUTSIDE OF ROOT ONLY OTHER WAY TO HAVE UNLIMITED LIFETIME

MUST RENEW WITHIN CONFIGURED PERIOD

BOUND TO GDR

CIDR BOUND

TOKENS

RESTRICT CLIENTS WHO CAN USE

RESPONSE WRAPPING

REQUESTS

SERVER 7

NEEDS TLS

PRIVATEKEY RETURNSSINGLEUSETOKEN

CUBBYHOLE

RESPONSE

WRAPPING

L LIMIT LIFETIME

PROVIDECOVER

OF

FOR SECRET DETECT SECRETEXPOSURE

INFORMATION MALFEASANCE

NOT SECRET SINGLE PARTY CAN WRAPPING IS

BUTREFERENCE UNWRAP AND SEE SEPERATE FROM

SECRET

RESPONSE DOES NOT CONTAIN

WRAPPING THE SECRET

WRAPPED ACCESSOR

TOKENS u

INSTEAD 5

CREATION PATH

L v J

TTL OF

WRAPPING TOKEN CREATION

TIME

TOKEN

POLICIES

EVERYTHING IN VAULT IS PATH BASED AND POLICES IS NO EXCEPTION

GRANT FORBID ACCESS To CERTAIN PATHS OPERATIONS

DENY BY DEFAULT DOESNOTSTORE

DELEGATESAUTHMETHOD

I CONNECTAUTHBACKEND
LDAP

SECURITY
TEAM

ADMIN

2 AUTHORVAULT

TEAM Policy
g

ya µq
POLICY

ADOUGROUPDEV TO

READONLYDEVINVAULT

3ATTACHVAULT F

TOKEN x

4
O 1 CONNECTAUTHBACKEND T POLICY
CLIENTS

USERS r

4 RETURN TOKEN 2verifycresswithAUTH

LDAP

SYNTAX

PATH

Secret EXAMPLE

capabilities create read update delete list GRANTS ALLACCESSON SECRET

PARAMETER

PROVIDE FINE GRAINED CONTROL FINE TRAINED CONSTRAINTS


OVER PERMITTED DENIED OPERATIONS CONTROL

REQUIRE

RESPONSEWRAPPING Set Min max

TTLS

POLICIES CONTINUED

CANNOT BE REMOVED

DEFAULT

POLICY

BUILT IN
ATTACHED TO ALL TOKENS

POLICIES

ROOT CANNOT BE MODIFIED ORREMOVED

POLICY

USER CANDO ANYTHING

DELETINGPOLICIES a MANACTING LISTING POLICIES

Hautdeletesyspolicyltestpolicy vault read systpolicy

POLICIES

u v

UPDATING POLICIES CREATING POLICIES

vaultwritesystpolicyltestpolicy Vaultpolicy write testpolicy testpolicy hcl

updated policyJson
policy

HIGH AVAILABILITY MODE

HA AUTOMATICALLY ENABLED IF DATA STORE SUPPORTS 1 T

CHECK IF

HAAVAILABLE

NEXTTO DS

0N SERVER

I
BOTH TRY GRAB LOCK

SUCCESSFUL ACTIVE NODE

DATA ELSE STANDBY NODE

STORE

IF STANDBYNODEGETSREQUEST FORWARD REDIRECTDEPENDINGONSTATE

REDIRECTION MODE MUST BE MET FOR HA CLUSTER TO WORK

UNSEALED

SERVER TO writesInformation 1 STAND BY


ABOUTSELF READ

SERVERCOMMUNICATION NODES

ACTIVE VAULT

STORAGE

NOT COMMUNICATED OVERNETWORK

CLIENT X VAULT NO REQUEST FORWARDING

REDIRECTION

IF NONEMPTYVALVE
REDIRECT CLIENTWITH 307 CODETO ACTIVE NODE

REDIRECTADDRESS

DIRECT

ACCESS api addr SHOULD BETHATNODES ADDRESS

THISSHOULDBE AVOIDED

LOAD

THE LB MUST BEAWARE OF THE


BALANCERS

ACTWELEADER OR REDIRECTS WILLLOOP

INTEGRATED STORAGE

VAULT 1.4 INTEGRATED STORAGE

HA SEMANTICS ENTERPRISE REPLICATION BACKUP AND RESTORE

CONSENSUS PROTOCOL TO REPLICATE DATTA TO EACH SERVER IN CLUSTER

JOIN NODE USE SAME SEAL MECHANISM JOIN REPLICATE

PGP G PG AND KEYBASE

OPENPGP COMPATIBLE PROGRAMS

VAULT GPG a

INTEGRATION
KEYBASE IO

PREVAULT 0.3 SECUREMESSAGING


UNSEALKEYSIN
AND
FILE SHARING
PLAINTEXT
GIVENTOINITIAL
USER BAD
VAULT UNSEAL KEY DISTRIBUTION

GENERATE UNSEAL
INITIALISING WITH
KEY AND IMMEDIATELY e
PGP
ENCRYPT USING

GIVEN USERS PUBLIC


PGP KEYS IMPORT APPROPRIATE
KEYS

KEYBASE GPG
1
SIMPLE AND
KEY MANAGEMENT
RECOVERY MODE

AUTOMATICALLY UNSEALED ONCE RECOVERY TOKEN ISSUED

RECOVERY TOKEN OPERATIONS AND 5451RAW ENDPOINT

WON'T FORM CLUSTERS OR HANDLE REQUEST FROMSTANDBY

RAFT INTEGRATE STORAGE IS MAIN REASON


r
AUTO RESIZE CLUSTER TO 1

THEN REJOIN RAFT CLUSTER

You might also like