IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [hashicorp-vault]

Questions on the secure configuration of the Vault server and secure design of Vault API clients.

Vault is an open-source secrets-management system developed by Hashicorp. Similar in design to Square's Keywhiz, Vault exposes an HTTP API for storing and retrieving secrets like password and credentials, and uses a pluggable architecture that supports a variety of choices for storage backends and authentication options.

22 questions
21
votes
1 answer

Vault: How does AppRole authentication works?

I have a server application (on dynamic infrastructure) which needs to retrieve a secret from Hashicorp Vault during startup. Lets assume we need make this as secure as possible. From the docs and examples about AppRole authentication i understand…
Mitchell Stevenson
  • 211
  • 2
  • 3
18
votes
1 answer

What security advantages does Hashicorp Vault have over storing secrets (passwords, API keys) in environment variables?

There seems to be a general recommendation to store secrets in the Hashicorp Vault instance (or similar key-management software) and avoid passing secrets via environment variables. In what particular scenarios using Vault is better from security…
user148622
  • 183
  • 1
  • 4
5
votes
2 answers

Best practice for securing DB passwords for multiple web apps?

I'm working on upgrading a "legacy" infrastructure where a handful of PHP, Rails and Perl (CGI) applications are in use. Historically, these applications have been written with the database credentials sprinkled into all the source code as program…
Server Fault
  • 233
  • 1
  • 7
4
votes
1 answer

How can I add a custom domain to an SAN for a certificate for consul domains like active.vault.service.consul?

Say one has a service provided by Consul, for which active.[name-of-service].service.consul is the link it provides to the active host leader for that service. How would I properly set up TLS to that .consul domain name? For example, suppose I have…
Nathan Basanese
  • 640
  • 1
  • 9
  • 20
3
votes
1 answer

Can I use HashiCorp Vault to restrict access to credentials based on CIDR ranges?

This seems like a pretty simple use case, but it would depend on some pretty recently added functionality which I might not understand yet: A python script gets populated by configuration management on a few monitoring servers within a specific IP…
Nathan Basanese
  • 640
  • 1
  • 9
  • 20
2
votes
0 answers

Storing Apache web server's SSL certificate in HashiCorp Vault

This could be basic question as I'm new to this area. I have an apache web server which load balances to a set of servers to provide a web site. The apache server has SSL enabled and we terminate TLS on load balancer level. The TLS certificates…
Viraj
  • 121
  • 3
2
votes
0 answers

Can I use Keycloak as a key store like Hashicorp Vault for an example?

Can I use Keycloak as a key store like Hashicorp Vault for an example? Keycloak has realm keys, can I use this feature as a secure key store and use it to encrypt and hash data in my web application? Is there an API that I can use to read those keys…
user4464366
  • 21
  • 1
2
votes
2 answers

How can I log access and usage of a MySQL database?

I am currently looking for an existing implementation method to generate logging of accesses and of usage of a series of MySQL databases by developers (not services) for further auditing. My current estimate is that all traffic would have to go…
hanzo2001
  • 121
  • 2
2
votes
2 answers

Considerations for having Hashicorps vault on the open net

I am doing a bunch of test/data scraping projects across a few different platforms that consume read-only and not really important API keys. I can only foresee minimal damage if they were to get out. With that said, I cant see any glaring reason…
Kyle Sponable
  • 121
  • 2
2
votes
4 answers

Does allowing a user to know their own authorized capabilities decrease security?

In a system with a complex set of computed authorizations, does conveniently allowing a given user access to view all of their own authorizations decrease security? In a "Policy as Code" system which relies on consumers of its API to develop their…
Nathan Basanese
  • 640
  • 1
  • 9
  • 20
2
votes
1 answer

Is there value to signing microservice calls with an HMAC derived from the same private key?

I had a friend say: We're securing our microservice with an HMAC derived from the private key in the jks file. [Where client and server shared the same private key] I can understand the situation where you have an HMAC from a secret that is short…
hawkeye
  • 207
  • 1
  • 7
1
vote
4 answers

Can application connect to database without exposing password to anyone?

I have a web application. The application needs to connect to the database to read/write information. The database can be accessed with username/password or certificate. Is it possible, somehow, to encrypt all this communication so even the…
Evaldas
  • 13
  • 3
1
vote
0 answers

Password protected secrets on Vault

We're currently improving our custom secrets management system and I'm looking into different solutions such as Hashicorp Vault or AWS KMS. So far Vault seems to meet most of our current requirements, is an open-source project and provides a lot of…
MarcSitges
  • 11
  • 1
1
vote
1 answer

Distributing private PKI CA Cert with public SSL CA? Any point?

Disclaimer. I'm not even sure if the question is worded correctly in the title. Neither am I sure if I'm asking the right question. If there's literature relevant to this topic, it'd be greatly appreciated. I'm looking at hashicorp vault to…
Sleeper Smith
  • 242
  • 1
  • 7
0
votes
0 answers

How Vault agent solves Secret Zero challenge in Kubernetes?

HashiCorp Vault Agent creates a sidecar that talks to Vault server and injects secrets as files into containers. The agent presumably uses Kubernetes Service Account in some way. But ultimately there must be a secret zero somewhere, protected…
Lemon Sky
  • 153
  • 4
1
2