Scribd Logo
Upload

Welcome to Scribd!

  • Vault Part 2 Concepts

    Uploaded by

    biliba
    50 views16 pages
    This document provides an overview of key concepts for using and operating Vault, including: 1) Dev server mode which allows experimenting with Vault without further setup and stores all data in memory. 2) The seal/unseal process where Vault starts in a sealed state and needs to be unsealed to decrypt its storage. 3) Lease renewal and revocation, where secrets and auth tokens have a time-to-live and Vault checks for renewal. 4) Tokens which are used to authenticate to Vault and can be generated, revoked, and renewed.

    Original Description:

    Vault Part 2 Concepts

    Original Title

    Vault_Part_2_Concepts

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides an overview of key concepts for using and operating Vault, including: 1) Dev server mode which allows experimenting with Vault without further setup and stores all data in memory. 2) The seal/unseal process where Vault starts in a sealed state and needs to be unsealed to decrypt its storage. 3) Lease renewal and revocation, where secrets and auth tokens have a time-to-live and Vault checks for renewal. 4) Tokens which are used to authenticate to Vault and can be generated, revoked, and renewed.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    50 views16 pages

    Vault Part 2 Concepts

    Uploaded by

    biliba
    This document provides an overview of key concepts for using and operating Vault, including: 1) Dev server mode which allows experimenting with Vault without further setup and stores all data in memory. 2) The seal/unseal process where Vault starts in a sealed state and needs to be unsealed to decrypt its storage. 3) Lease renewal and revocation, where secrets and auth tokens have a time-to-live and Vault checks for renewal. 4) Tokens which are used to authenticate to Vault and can be generated, revoked, and renewed.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    OVERVIEW

    Overview of concepts that are important to understand for day

    to day vault usage and operations.

    These notes follow HashiCorp specific structure found here:

    http://www.vaultproject.io/docs/concepts

    I have created these notes as part of my personal learning and

    hope to be able to help and inspire others.

    I would recommend viewing the official vault docs to gain full

    and detailed explanations.

    I will be releasing interactive notebooks for all configuration

    detailed in these guides .

    Follow my instagram @adnans_techie_studies for updates

    DEV SERVER MODE

    COMMAND

    INSECURE AND DEV VAULT SERVER DEV

    LOSE DATA ON
    a
    MODE
    v

    RESTART

    NO FURTHER SETUP

    ALLFEATURESAVAILABLE

    EXPERIMENT WITH VAULT

    NO NEED TO UNSEAL

    ALL DATA STORED IN MEMORY

    BOUND TO LOCAL ADDRESS WITHOUT TLS

    AUTO AUTHENTICATE

    SINGLE UNSEAL KEY

    V2 KU SECRET ENGINE

    SEAL UNSEAL


    a VAULTCAN SEE
    VAULT
    starts.ws SEALED canSEE BUT

    STARTED STATE STORAGE



    UNABLETODECRYPT

    How

    UNSEAL

    OBTAIN MASTER

    KEYTO READ

    DECRYPTIONKEY To DECRYPT DATA

    WHY s DATASTOREDBYVAULTIS ENCRYPTED


    SHARED

    NEED SHAMIR

    v KEYS

    ENCRYPTION KEY To DECRYPT

    Is COMBINED

    50 STOREDWITH KEY

    IN

    DATA
    i KEYRING

    ENCRYPTEDWITH
    ENCRYPTED

    ENCRYPTED

    MASTERKEY ENCRYPTED AGAIN MASTER KEYRING

    But
    www

    VAULTSTORAGE

    UNSEALKEY

    UNSEALING s VAULT OPERATORUNSEAL 012 API

    ONCEUNSEALED
    SEALING wine THROWAWAY THEN UNSEAL
    MASTERKEY process

    REMAINSUNSEALED UNLESS

    THESE
    CAN BEDONE

    x x x
    BYROOT

    RESEALVIA API SERVERRESTART VAULTSTORAGE

    UNRECOVERABLE
    ERROR

    SEALMIGRATION

    from

    DELEGATE TO use AUTO To


    REDUCEOPERATIONAL KMSSEAL SHAMIRSEAL

    SERVICE COMPLEXITY OF

    UNSEAL SHAMIRSEAL s KMSSEAL


    UNSEALKEYS

    KMSSEAL KMSSEAL

    KMS
    initialisation
    v AND

    SHAMIRKEYS CALLED RECOVERY

    GENERATED
    KEYS

    REQUIRES DOWNTIME

    LEASE RENEW AND REVOKE

    DYNAMIC SECRET

    AND Has LEASE IE


    s REVOKED THEN NO FURTHER

    SERVICETYPE Has RENEWAL

    AVTHTOKEN r

    TTL

    AND

    CHECKS WITH

    VAULT REGULARLY to AUDIT LOCTS

    LEASEID is
    USEDTOMANAGE LEASE DURATION

    LEASEOFSECRET fakes

    INCREMENT

    is

    FROMTHETIME OF REQUEST

    AND BACKEND CAN IGNOREIT

    PREFIXBASED HAS
    ABILITY TO REVOKE REVOKE

    REVOCATION can

    MULTIPLESECRETS TREE

    SECRETS

    IF

    GITHUB INTRUSION WITHIN

    0 AUTH
    SPECIFICSYSTEM

    METHODS s LDAP

    CLIENT AppROLE

    ENABLE

    BEFORE AUTHENTICATION

    USE

    TOKENS first VERIFY THEN GENERATE ASSOCIATE TOKEN

    IDENTITY

    USEDFor

    VAULT REVOCATION AND RENEWAL

    LOGIN

    LEASE ASSOCIATED REAUTH AFTERAGIVENPERIOD

    TOKENS

    TOKEN TOKENAUTH

    STORE BACKEND

    ROOT R FlA can Do 1 is

    TOKENS Lt ANYTHING
    RESPONSIBLE FOR
    CREATING ANDSTORING

    TOKENS

    SETTONEVER AND
    EXPIRE CANNOT BEDISABLED

    EEE'm
    ME

    ftp.rnLEE formT
    azfEoYofEE

    GENERATE WITHPERMISSION of Quorum UNSEALKEY

    SHOULD HOLDERS
    ONLY BEUSED

    FORINITIALSETUP

    OR

    EMERGENCY

    TOKEN HOLDER TOKEN SERVICE

    CREATETOKEN TYPES f

    CHILD TOKEN NORMAL TOKENS

    TOKEN
    CHILD

    PARENT

    REVOKES

    ALL

    BATCH

    OR

    ORPHAN TOKEN ENCRYPTED


    VAULT

    BLOBS ACTIONS

    NO PFRENT REQUIRE

    NO STORAGE

    REVOKETHETOKEN

    TOKEN TOKEN ACCESSOR

    RENEWTHETOKENh CREATEDAND

    Accessors CREATED

    RETURNED

    LOOKUPTOKEN TOKEN CAPABILITIES

    PROPERTIES

    EXAMPLE

    USE ANOTHER

    SERVICE
    CREATES service JOB ID JOB COMPLETE

    TOKEN

    STORES ACCESSOR REVOKEWHEN

    AND FINISHED

    TOKENS CONTINUED

    GENERAL IF NO IT IS COMPARED TO

    MAX TTL

    EXPLICIT TTL

    TOKENS

    MAX TTL SYSTEM MAYTTL

    COMBINATION

    EXPLICIT HARD IGNORES VALUE SET a


    32 DAYS

    TTL LIMIT 134AUTH v


    BASEDON
    METHOD MOUNT CANOVERRIDE

    THESYSTEMMAX

    SYSTEMS PERIODICALLY PERFORM TASK

    PERIODIC LONG RUNNING 502 CONNECTION

    TOKENS SERVICES POOL

    OUTSIDE OF ROOT ONLY OTHER WAY TO HAVE UNLIMITED LIFETIME

    MUST RENEW WITHIN CONFIGURED PERIOD

    BOUND TO GDR

    CIDR BOUND

    TOKENS

    RESTRICT CLIENTS WHO CAN USE

    RESPONSE WRAPPING

    REQUESTS

    SERVER 7

    NEEDS TLS

    PRIVATEKEY RETURNSSINGLEUSETOKEN

    CUBBYHOLE

    RESPONSE

    WRAPPING

    L LIMIT LIFETIME

    PROVIDECOVER

    OF

    FOR SECRET DETECT SECRETEXPOSURE

    INFORMATION MALFEASANCE

    NOT SECRET SINGLE PARTY CAN WRAPPING IS

    BUTREFERENCE UNWRAP AND SEE SEPERATE FROM

    SECRET

    RESPONSE DOES NOT CONTAIN

    WRAPPING THE SECRET

    WRAPPED ACCESSOR

    TOKENS u

    INSTEAD 5

    CREATION PATH

    L v J

    TTL OF

    WRAPPING TOKEN CREATION

    TIME

    TOKEN

    POLICIES

    EVERYTHING IN VAULT IS PATH BASED AND POLICES IS NO EXCEPTION

    GRANT FORBID ACCESS To CERTAIN PATHS OPERATIONS

    DENY BY DEFAULT DOESNOTSTORE

    DELEGATESAUTHMETHOD

    I CONNECTAUTHBACKEND
    LDAP

    SECURITY
    TEAM

    ADMIN

    2 AUTHORVAULT

    TEAM Policy
    g

    ya µq
    POLICY

    ADOUGROUPDEV TO

    READONLYDEVINVAULT

    3ATTACHVAULT F

    TOKEN x

    4
    O 1 CONNECTAUTHBACKEND T POLICY
    CLIENTS

    USERS r

    4 RETURN TOKEN 2verifycresswithAUTH

    LDAP

    SYNTAX

    PATH

    Secret EXAMPLE

    capabilities create read update delete list GRANTS ALLACCESSON SECRET

    PARAMETER

    PROVIDE FINE GRAINED CONTROL FINE TRAINED CONSTRAINTS


    OVER PERMITTED DENIED OPERATIONS CONTROL

    REQUIRE

    RESPONSEWRAPPING Set Min max

    TTLS

    POLICIES CONTINUED

    CANNOT BE REMOVED

    DEFAULT

    POLICY

    BUILT IN
    ATTACHED TO ALL TOKENS

    POLICIES

    ROOT CANNOT BE MODIFIED ORREMOVED

    POLICY

    USER CANDO ANYTHING

    DELETINGPOLICIES a MANACTING LISTING POLICIES

    Hautdeletesyspolicyltestpolicy vault read systpolicy

    POLICIES

    u v

    UPDATING POLICIES CREATING POLICIES

    vaultwritesystpolicyltestpolicy Vaultpolicy write testpolicy testpolicy hcl

    updated policyJson
    policy

    HIGH AVAILABILITY MODE

    HA AUTOMATICALLY ENABLED IF DATA STORE SUPPORTS 1 T

    CHECK IF

    HAAVAILABLE

    NEXTTO DS

    0N SERVER

    I
    BOTH TRY GRAB LOCK

    SUCCESSFUL ACTIVE NODE

    DATA ELSE STANDBY NODE

    STORE

    IF STANDBYNODEGETSREQUEST FORWARD REDIRECTDEPENDINGONSTATE

    REDIRECTION MODE MUST BE MET FOR HA CLUSTER TO WORK

    UNSEALED

    SERVER TO writesInformation 1 STAND BY


    ABOUTSELF READ

    SERVERCOMMUNICATION NODES

    ACTIVE VAULT

    STORAGE

    NOT COMMUNICATED OVERNETWORK

    CLIENT X VAULT NO REQUEST FORWARDING

    REDIRECTION

    IF NONEMPTYVALVE
    REDIRECT CLIENTWITH 307 CODETO ACTIVE NODE

    REDIRECTADDRESS

    DIRECT

    ACCESS api addr SHOULD BETHATNODES ADDRESS

    THISSHOULDBE AVOIDED

    LOAD

    THE LB MUST BEAWARE OF THE


    BALANCERS

    ACTWELEADER OR REDIRECTS WILLLOOP

    INTEGRATED STORAGE

    VAULT 1.4 INTEGRATED STORAGE

    HA SEMANTICS ENTERPRISE REPLICATION BACKUP AND RESTORE

    CONSENSUS PROTOCOL TO REPLICATE DATTA TO EACH SERVER IN CLUSTER

    JOIN NODE USE SAME SEAL MECHANISM JOIN REPLICATE

    PGP G PG AND KEYBASE

    OPENPGP COMPATIBLE PROGRAMS

    VAULT GPG a

    INTEGRATION
    KEYBASE IO

    PREVAULT 0.3 SECUREMESSAGING


    UNSEALKEYSIN
    AND
    FILE SHARING
    PLAINTEXT
    GIVENTOINITIAL
    USER BAD
    VAULT UNSEAL KEY DISTRIBUTION

    GENERATE UNSEAL
    INITIALISING WITH
    KEY AND IMMEDIATELY e
    PGP
    ENCRYPT USING

    GIVEN USERS PUBLIC


    PGP KEYS IMPORT APPROPRIATE
    KEYS

    KEYBASE GPG
    1
    SIMPLE AND
    KEY MANAGEMENT
    RECOVERY MODE

    AUTOMATICALLY UNSEALED ONCE RECOVERY TOKEN ISSUED

    RECOVERY TOKEN OPERATIONS AND 5451RAW ENDPOINT

    WON'T FORM CLUSTERS OR HANDLE REQUEST FROMSTANDBY

    RAFT INTEGRATE STORAGE IS MAIN REASON


    r
    AUTO RESIZE CLUSTER TO 1

    THEN REJOIN RAFT CLUSTER

    You might also like