Why you should choose Hashicorp Vault to store your secrets
I have an ageing certificate authority that is stored mostly offline on a minimal Debian VM. This provides decent security when the VM is not running however there are several risks that have to be considered on the odd occasion when it is running:
- Integrity of my local machine is roughly proportional to the security afforded by the VM, i.e a compromise of my local machine is the weakest link in the chain of security that protects the VM and the CA within it.
- The VM itself is encrypted and the certificate files are stored within a Truecrypt container however a key-logger can defeat both of these measures.
With these in mind and the approaching expiration of my root certificate I decided to review the options for a certificate authority. Here are the constraints:
- I travel often so lugging around an HSM (Hardware Security Module) is not an option. The way the US appears to have treated travelers recently also is a mark against this.
- Cost — this CA is used for a few projects and it’s cost needs to be proportionate to the projects budget
- Simplicity & Ease of use— this is such an important aspect of security. More complexity usually has a negative bearing on the security offered and if your solution is complex the end result is effectively a Denial-of-service while you update / fix / recover the complex solution.
I brainstormed for about a day and came up with a few options:
- Offline root CA + Intermediate CA on Hashicorp Vault in the Data Centre
- Offline root CA + Intermediate CA on a VM
Why I chose Vault
Initially I thought that the Intermediate CA on a VM was going to offer better security for my risk profile and then it dawned on me that Vault is designed in such a way that the private key is never able to leave the secure storage (just like a hardware key).
So while it is possible that a loss of a credential or unseal key will allow an attacker to generate certificates and change policies the greater benefit is that past conversations that could have been captured cannot be decrypted since the private key can’t leave the vault. Combine that with short-lived certificates and it makes Vault a better option than a local VM.
If that was all Vault offered it wouldn’t have been a clincher — here are several more reasons to choose Vault :
- As far as I am aware Vault is the first general-purpose secret management tool. Keeping secrets is what Vault was specifically designed to do and it does it very well!
- High Availability, HSM integration, open source and commercial editions mean that Vault is here to stay — this is critically important for Certificate Authorities and secret storage.
- Vault designed to be used with many people / apps / devices storing and retrieving secrets — not many other open source apps do this very well.
- Not only can Vault keep secrets but it can provide encryption-as-a-service — SQL table data encrypted before it even gets to the DB!
- Vault breaks the master encryption key into pieces using Shamir’s secret-sharing scheme — this means the system can enforce the requirement for two people or keys to be present to unlock the Vault. This additional measure can add another layer of security that is crucial for high trust or cryptocurrency transactions.
Keep an eye out for my next post where I will cover the the implementation from a technical & security perspective.