Why you should choose Hashicorp Vault to store your secrets

Hilton De Meillon
Aug 30, 2017 · 3 min read

I have an ageing certificate authority that is stored mostly offline on a minimal Debian VM. This provides decent security when the VM is not running however there are several risks that have to be considered on the odd occasion when it is running:

  1. Integrity of my local machine is roughly proportional to the security afforded by the VM, i.e a compromise of my local machine is the weakest link in the chain of security that protects the VM and the CA within it.
  2. The VM itself is encrypted and the certificate files are stored within a Truecrypt container however a key-logger can defeat both of these measures.

With these in mind and the approaching expiration of my root certificate I decided to review the options for a certificate authority. Here are the constraints:

  1. I travel often so lugging around an HSM (Hardware Security Module) is not an option. The way the US appears to have treated travelers recently also is a mark against this.
  2. Cost — this CA is used for a few projects and it’s cost needs to be proportionate to the projects budget
  3. Simplicity & Ease of use— this is such an important aspect of security. More complexity usually has a negative bearing on the security offered and if your solution is complex the end result is effectively a Denial-of-service while you update / fix / recover the complex solution.

I brainstormed for about a day and came up with a few options:

  1. Offline root CA + Intermediate CA on Hashicorp Vault in the Data Centre
  2. Offline root CA + Intermediate CA on a VM

Why I chose Vault

Initially I thought that the Intermediate CA on a VM was going to offer better security for my risk profile and then it dawned on me that Vault is designed in such a way that the private key is never able to leave the secure storage (just like a hardware key).

So while it is possible that a loss of a credential or unseal key will allow an attacker to generate certificates and change policies the greater benefit is that past conversations that could have been captured cannot be decrypted since the private key can’t leave the vault. Combine that with short-lived certificates and it makes Vault a better option than a local VM.

If that was all Vault offered it wouldn’t have been a clincher — here are several more reasons to choose Vault :

  1. As far as I am aware Vault is the first general-purpose secret management tool. Keeping secrets is what Vault was specifically designed to do and it does it very well!
  2. High Availability, HSM integration, open source and commercial editions mean that Vault is here to stay — this is critically important for Certificate Authorities and secret storage.
  3. Vault designed to be used with many people / apps / devices storing and retrieving secrets — not many other open source apps do this very well.
  4. Not only can Vault keep secrets but it can provide encryption-as-a-service — SQL table data encrypted before it even gets to the DB!
  5. Vault breaks the master encryption key into pieces using Shamir’s secret-sharing scheme — this means the system can enforce the requirement for two people or keys to be present to unlock the Vault. This additional measure can add another layer of security that is crucial for high trust or cryptocurrency transactions.

Keep an eye out for my next post where I will cover the the implementation from a technical & security perspective.

Written by

Cybersecurity Consultant

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade