Top 5 Reasons to Choose
Author: Tom Earl
Release Date: 18/09/21
What is HashiCorp Vault?
A good question you might well ask, HashiCorp Vault is a tool for securely accessing secrets. We can classify secrets as being anything that you might want to limit access to and this can range from certificates, passwords and even API keys. All of which is housed in a low trust environment as Vault works on a deny by default methodology.
There are a plethora of authentication methods to allow you to authenticate to Vault and assign identity and set up policies governing access to secrets held in the vast array of secrets engines. It also provides a comprehensive log of all requests and responses that come into and leave the Vault so you can be assured that from an auditing perspective Vault has you covered.
I have been impressed by many of the features of Vault and wanted to share 5 of my favorites to date:
When it comes to encrypting sensitive data one of the latest features released with HashiCorp Vault is Tokenisation. A point to note with this you will need Enterprise and specifically the Advanced Data Protection Module.
So the issue might not be as obvious as it first seems. What we want to achieve is the encryption of sensitive data, but with this comes the possibility that the data format and length will be changed as a result. This might be far from ideal as you might want to preserve the original length or format of the data in order to meet industry standards, however this is where Vault’s Transforms Secrets Engine can help by leveraging its Format Preserving Encryption.
Whilst this might seem like the silver bullet to the issue there are situations whereby the irreversibility of the tokenised data is more important than preserving the original format; this might be required when you have to meet the Government and Risk Compliance Strategy.
What might be the best way to solve this issue I hear you ask? Well the team at HashiCorp have come up with a clever solution, Tokenisation. Within the Transform Secrets Engine there is a transformation method that has the ability to tokenise sensitive data that is stored outside of Vault. It does this by replacing your sensitive data with tokens. These tokens are unique and bear no resemblance to the original data, thus not exposing the original data in plain text.
With the tokenisation feature you will benefit from the following:
- Non-reversible identification, meaning you will be able to protect your data in accordance with government regulations on data irreversibility
- Integrated Metadata, which supports metadata for identifying data type and purpose.
- Extreme scale and performance, providing the ability to effectively manage billions of tokens, both On-Premise and in the Cloud.
2. GITHUB AUTH METHOD
As mentioned above HashiCorp Vault supports many authentication methods. One of the methods that stands out for me is leveraging the Vault Auth method for GitHub.
It is slightly different to the standard token based authentication methods and can be used to automatically give Vault access to users that are part of a specific GitHub organisation. This can be broken down to an even more granular level and restricting access to a specific team by using only a personal access token.
The auth method itself is very useful as it provides authentication for operators or developers using the Vault directly via the CLI.
Configuration of the method is simple and well described in the Vault documentation. It is however just a case of:
- Enabling the method
- Configuring /config endpoint so that Vault can talk to GitHub
- Mapping the users or teams to the right policy and you are good to go
- You can also create mappings for specific users.
3. GOOGLE CLOUD SECRETS ENGINE
If you are in need of a Secrets Engine and platform to manage your Google Cloud IAM service accounts then there is a very useful feature within HashiCorp Vault. On this occasion you will be able to leverage the Google Cloud Secrets Engine.
With this engine you will be able to dynamically generate Google Cloud service account keys and OAuth tokens all of which are based on IAM policies. Users will be able to gain access to GC resources without the requirement to manage and create dedicated service accounts.
All of the above can be troublesome and time consuming but with the help of the engine you will be able to:
- Automatically clean up the GCP IAM service account keys so that when the lease which is associated with the account key expires then the service key is automatically revoked.
- Allocation of quick, short term access meaning that they do not need to be created by the users, this includes for one time access.
- Users will also be able to benefit from authenticating to Vault using a centralised Identity service such as LDAP and generate GCP credentials all without the requirement to manage a service account for that user.
4. AUDIT DEVICES
Within Vault there are components called Audit Devices, these are responsible for keeping a detailed log of all requests and responses that come into and go out of Vault. The Vault audit logs contain every “authenticated” interaction, this is possible because the way that we interact with Vault is through its API. These API requests and responses are being continuously logged. Vault has the ability to enable multiple audit devices and can also send audit logs to all of them
The composition of each audit log is a JSON object within it there is a type field containing the two different types, both request and response. Any information pertaining to these types is contained within. There is no need to worry about sensitive information being stored here as by default this type of information is firstly hashed using HMAC-SHA256 prior to writing it to the logs. As you are able to generate HMACs yourself you will still be able to view the values of the secrets yourself by utilising the devices hash function, salt and the /sys/audit-hash endpoint.
In addition to this devices can be enabled, disabled and blocked. It is worth noting that when the Vault server is initialised that auditing is enabled and they must be enabled by a root user.
One of the fantastic benefits of Vault is its Plug in Portal, found within is a vast array of official , partner and community plugins.
- Official, these are the supported and maintained plugins from HashiCorp, containing Auth methods, Database and Secrets Engines plugins such as AliCloud, Cassandra and GCP KMS
- Partner, these are developed and owned by HashiCorp Partners, containing Auth Methods, Database and Secrets Engines plugins such as Exoscale, Areospkie and Venafi.
- Community, developed by community members, with Auth Methods such as Jenkins and Secrets Engines such as AWS Cognito.
We have just explored just the tip of the iceberg when it comes to what HashiCorp Vault can provide and help you with your secrets management. A secure and simple way to house all of your secrets and credentials, all this can be achieved with readily available guides on the portal to navigate your way to setting up your own Vault.
HashiCorp Vault is constantly changing and evolving to meet the needs of the customer with periodic and frequent updates. If you are needing to manage secrets and credentials and are not using HashiCorp Vault then you should be asking yourself why not!