6

Recently Hashicorp released a secrets management solution called Vault.

It is a free and open source general secrets storage and secret generator, acting as a Vault for passwords, encryption keys, and hash salts.

I am wondering if anyone has started using it, and what are best practices for using it?

Has anyone heard any security flaw with it?

Nathan Basanese
  • 640
  • 1
  • 9
  • 20
Goli E
  • 895
  • 1
  • 11
  • 20
  • dying for some more info on vault. i'd like to use it to manage access to servers via SSH. i feel like Vault is up to the task, but it is so bleeding edge right now. – Randy L Jul 24 '15 at 18:09

2 Answers2

3

Should have a look at this:

https://vaultproject.io/docs/secrets/ssh/index.html

Basically Vault (note the answer time) can create one time credential for people to use for SSH.

Most of its security back ends are focused on one time or short lease credentials which keeps rotating, and Vault becomes the central token vending machine.

Sleeper Smith
  • 242
  • 1
  • 7
0

I spent about 1 month setting up an in-depth PoC Vault Server, hosted on Kubernetes, 99% Infrastructure as Code. (Kubernetes yamls, Configuration, scripts, Vault Infrastructure Provisioning Secrets(encrypted), all stored as Code in Git.)

My primary purpose was to evaluate its versioned key-value store. I ended up abandoning it for that purpose. After finding Cloud KMS + Mozilla SOPS + Git to be a better and easier to maintain solution. (Did a write up on it if you want to learn more.)

That being said, I just think it's versioned key value engine isn't worth the trouble compared to KMS + Mozilla SOPS, other than that:

Vault's a well-designed product that seems to best in class when it comes to dynamic secrets. I'd definitely recommend it for industries that have high absolute security requirements of short-lived ssh credentials, and auto-rotating database passwords. But if this is just a "nice to have", then weigh it against the fact that it'll take at least 2-4 weeks if not more figuring out how to install, configure, maintain, and secure it + ongoing costs to host the infrastructure.

The only security Flaw I'm aware of is root access of a live vault server -> memory dump -> cleartext master decryption key -> powned. That being said there's several ways to prevent this, the best being to use a SCONE security enclave (think docker container with encrypted ram). (That can 99.99% protect against root access vs other countermeasures center around preventing root access.)

neokyle
  • 111
  • 8