Vault the Key Management Store

Shrek
Shrek
Sep 2, 2018 · 3 min read

Vault is a is a secret store and I didn’t really understand it at first so here’s a quick article on why you might want to use something like Vault.

What is Vault

Vault is more or less a key value store specifically made for your secrets. It will encrypt the secrets that you store on disk and make sure that no one else can access the actual storage directly. It has an http api interface that requires you to supply a token in order to have permissions to access the secrets. I’ll talk more on how we are to distribute the tokens.

Key Rotation

This is by far the most important reason. If you have a bunch of keys scattered through your systems and one of the keys accidentally gets released into the wild and you revoke it. You might have just revoked a key that your services are using too. This is a fun way to use up your downtime minutes for the year. If you use Vault, then you can simply switch the key inside Vault, then revoke the old key painlessly. This is the power of a centralized key store where there is one source of truth. However, you should be careful because this also makes Vault a single point of failure.

Dynamic Keys

Vault will also help with automatic key rotation which is just a good security practice in general. There are integrations with AWS and most SQL db’s to automatically rotate keys. Now, whether you want to give Vault the superuser permissions to create/delete accounts is another story.

The Authentication Problem

Before we go further, we should talk about the pull and push model. One of the biggest issues with implementing Vault in your systems is authentication. We need to figure out how to determine whether a user has access to Vault or not.

Push Model

One way to solve this is to simply assume no one has access. We will have a coordinator grant access to the services that need access, but there is no way of actually requesting access. This is the push model, where we have a trusted third party, usually integrated in your CI system, that grants services permissions on startup or periodically. This will ensure tight security because it will make getting hands on a Vault token very difficult since you can’t even request one. However, this coordinator system is quite difficult to implement since it requires you to be able to accept requests in order to accept a Vault token from the coordinator. This is not a simple problem to solve in terms of networking, but it also makes it hard to fetch secrets from Vault from inside simple scripts. Another problem is that the coordinator must have comprehensive permissions with Vault and it cannot be compromised.

Pull Model

The other way of solving the authentication problem is to use third party integrations to authenticate with Vault. For example, if you are running your service on Kubernetes, then Vault can crosscheck with Kubernetes master to see if the request really came from one of its pods. These are custom built integrations with other tools and it is where Vault shines since it already works with so many tools so you don’t have to build your own integrations.

Shrek

Written by

Shrek

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade