If you already know HashiCorp Vault and Microsoft Azure well and you have some Terraform experience and would like to jump to the code directly, be my guest :) Here is the GitHub Repo.

Introduction

Applications running inside Azure VMs need access to various secrets. e.g. API keys, database credentials, certificates, cloud credentials etc. Although traditionally secrets are provided manually in application configuration or environment variables, many new cloud applications store these secrets in Azure KeyVault.

There are many advantages of using Azure KeyVault, e.g.

• Secrets are decoupled from the application
• Secrets can be managed and revoked centrally and with APIs
• Secrets are saved more securely and can be accessed programmatically
• Secret sprawl can be avoided
• Access keys can be rotated

Even though Azure KeyVault solves many problems for you, there are still multiple challenges that you need to address to secure your application and automate secret access and retrieval. These are some of the additional challenges you may consider:

• How do you authenticate and provide secrets to applications that don’t use Azure AD?
• How do you integrate legacy applications without code change?
• How do you make your application cloud agnostic?
• How do you rotate database credentials?
• How do you provide credentials in other data-centers and clouds?

In this blog post we will learn how you can use HashiCorp Vault and Vault Agent to dynamically fetch secrets and configure your application inside an Azure VM without any code change using system managed machine identity, Azure auto-auth and templating powered by Vault Agent. Vault ensures tighter security, end to end automation, and avoids credential sprawl.

HashiCorp Vault

HashiCorp Vault is an API-driven, cloud-agnostic, secrets management platform. It allows you to safely store and manage sensitive data in hybrid and multi-cloud environments. You can use Vault to generate dynamic short-lived credentials, and encrypt application data on the fly.

Vault is currently trusted by many established financial institutions and large enterprise organizations across the world. You can learn more about it here.

Vault and Azure Active Directory Identity Management

Today we will focus on Vault’s ability to integrate with Azure Active Directory and managed identities and also use this authentication method to access dynamic short-lived secrets for a MySQL database.

Vault supports a long list of authentication methods apart from Azure Active Directory showcased here and dynamic credentials for a lot many systems and databases apart from the MySQL database used in this blog.

Hence, this workflow and pattern can be applied to multiple environments with different authentication methods, databases, systems and clouds.

Vault Server Installation

Vault can be downloaded here. Even though Vault can easily be started in Dev mode, for today’s exercise I recommend running it as a service in your Azure VM or VM Scale Sets. I used the following script as part of my Terraform code to deploy Vault in an Azure VM. The only thing you need to change where required, is the correct URL for downloading Vault and the Azure credentials.

You can find general Vault installation documentation here.

For production installations please refer to the Vault operations section of the Vault learn website.

Vault Agent

Vault Agent is a client daemon that provides the following features:

• Auto-Auth — Automatically authenticate to Vault and manage the token renewal process for locally-retrieved dynamic secrets.
• Caching — Allows client-side caching of responses containing newly created tokens and responses containing leased secrets generated off of these newly created tokens.
• Templating — Allows rendering of user supplied templates by Vault Agent, using the token generated by the Auto-Auth step.

In our setup we will run the Vault Agent inside an Azure VM, use Azure auto-auth method with managed identities to authenticate, and use templating to configure an application with dynamic secrets.

Setup

Assuming that HashiCorp Vault is already installed, MySQL database and Application VM are already provisioned in your Azure environment, this scenario can be setup as follows:

Vault Setup

1. Enable the database secrets engine.
2. Configure database secrets engine with MySQL credentials.
3. Create a role for the dynamic database credentials with a TTL and user creation statement.
4. Define a policy to allow access to the database credentials.
5. Enable the Azure auth method.
6. Configure the Azure auth method.
7. Create an Azure auth role and assign policy created in step 4 and bind it to your subscription and resource group.

Azure VM Setup

1. Create Vault Agent configuration.
2. Define application configuration template for rendering.
3. Install Vault Agent.

Once both Vault and Vault Agent are setup Vault Agent will automatically fetch the database credentials and render the application configuration based on the template.

Vault Setup

Let’s take a look at the Vault configuration in more detail.

Dynamic Database Credentials for MySQL

1. Enable the database secret engine.
2. Configure it with MySQL details and credentials and associate Vault role definitions.
3. Rotate root password, this ensures no human or machine has seen the root credentials and Vault is managing credential creation for MySQL now.
4. Create roles with creation statement and required TTL.
5. Use Vault read command to test if the setup and connection with MySQL is successful.

Vault ACL Policy

Create a Vault ACL policy that allows access to the MySQL database credentials.

Azure Auth Method Setup

1. Enable Vault Azure auth method.
2. Configure Azure auth method with your service principal Azure credentials.
3. Create a role, associate the policy we create in the previous step to allow access to MySQL database credentials and bind the role to your subscription and resource group.

Azure VM Setup

Let’s take a look at the Azure VM configuration in more detail.

First of all you have to make sure you have configured your Azure VM to use system-assigned managed identities.

Vault binary to run the Agent can be downloaded from here.

Define a template for your application’s configuration, e.g.

Create the Vault Agent configuration with Azure auto_auth method, specifying the Azure auth role that we created earlier, path to the template file and destination path where the file should be saved for the application after it is rendered. It is also possible to provide a sink file to write the Vault token in case the application needs to use the token to make Vault API calls.

Here is some sample code to configure and start Vault Agent as a service :

Once the Vault Agent is successfully configured and started you will see that your application configuration is rendered in the template destination location specified in the Vault Agent configuration.

That’s it. Now Vault will dynamically update your configuration whenever there is a change in the database credentials.

This one-time configuration allows you to avoid sprawl or leakage of credentials and use Azure system-assigned managed identities for authentication.

Vault Agent Templating

As you can see in this example, Vault Agent can be used to render templates with credentials or any kind of secrets including dynamic credentials for systems like databases.

This is a simple yet very powerful tool to help you automate secret retrieval and configure applications in run time without any manual intervention.

Demo

As stated in the beginning of the blog post, if you would like to test or demo this functionality I have created a Terraform project on GitHub. This will build your environment from scratch and will deploy the following:

1. Azure MySQL database
2. Azure VM with Vault Server installation and setup
3. Azure VM with Vault Agent install, setup and a python webapp

Here is the link to the GitHub repository:

https://github.com/kaparora/vault-azure-python-mysql-webapp

Summary

With HashiCorp Vault and Vault Agent you can fully automate the configuration of your applications running inside an Azure VM with dynamic secrets and database credentials using system-assigned managed identities for Azure VMs. This enables you to secure your applications and truly implement DevSecOps.

Automatic Dynamic Secrets Retrieval in Microsoft Azure VMs with HashiCorp Vault was originally published in HashiCorp Solutions Engineering Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

In this post I would like to share some of my notes on “what is health?” as per Ayurveda from an introductory Ayurveda class I attended in Rishikesh, India last year. The information may not be 100% accurate but will give you a good idea and basic understanding.

What is Ayurveda?

Ayu means Life and Veda means Knowledge.

Ayurveda is the knowledge/science of Life. Origins of Ayurveda are found in Samkhya philosophy from ancient India ~700–500 BCE and it focuses on the physical aspects of the human body.

It is a medical science (today called as alternate) which also teaches us about the body, what kind of food we should eat, how can we cope in different environments, etc. e.g. Ayurveda recommends avoiding citrus fruits and dark leafy vegetables in the rainy season.

As per Ayurveda life is a symbiosis of the following:

• Body
• Senses
• Mind, and
• Soul

Definition of health

Ayurveda defines health as follows:

“sama dosha sama agnischa sama dhatu mala kriyaaha| Prasanna atma indriya manaha swastha iti abhidheeyate” — Sushruta Samhita

which means:

Health is when you have balanced biological energies, balanced digestive fire , nourished tissues, regular elimination of urine, sweat and stool, a happy soul, elated senses and a cheerful mind.

There it is, that’s how you define good health. Let me share with you a little bit in more detail from the class.

Doshas

Ayurveda defines 3 doshas or biological energies. They say if you understand these three, you can understand Ayurveda.

Doshas are components which perform physiological functions inside the body.

Vatta:

Represented by space and air elements, vatta is resposible for movements in the body. e.g blood, stool, urine movements

Pitta

Represented by fire and water elements, pitta is responsible for digestion and maintaining the body temperature.

Kapha

Represented by water and earth, kapha is responsible for structure, growth and development of the body.

A healthy person has all these energies in a harmonious balance.

Vatta, pitta and kapha are not anatomically present. These are energies which take shelters in tissues and waste materials and their imbalance can causes physical disorder.

Our teacher explained in detail about these qualities and also told us that everyone has one or the other quality that is more dominant. By finding out the dominant quality you can explain certain behaviors and health conditions. E.g. vatta people cannot tolerate cold and often have cold feet and hands, kapha people can easily skip breakfast and survive on 2 meals, etc.

As per Ayurveda, diseases don’t just show up. They are developed over time due to an imbalance in the doshas.

Also, you can fix problems by compensating for a dosha which is high e.g. Having dry skin is a sign of high pitta which can be solved by applying oil to the skin or adding it to the diet. Oil belongs to the kapha dosha and balances the excess of pitta.

Of course all this goes much deeper and has a lot of theory to learn and understand. But I hope this gives you some idea about the doshas on a very high level.

Dhatu

Ayurveda defines 6 main dhatus or bodily tissues, namely:

1. Plasma / Limph
2. Blood
3. Muscle
4. Bone
5. Bone-marrow
6. Reproductive tissues e.g. semen

On the other side in Modern science we classify tissues into 4 types, namely

1. Nervous (brain, spinal chord, nerves)
2. Muscle (cardiac, smooth and skeletal)
3. Epithelial (Lining of hollow organs and skin)
4. Connective (fat, bone, tendon)

A healthy persons tissues are well nourished.

That was pretty straight forward.

Mala

The food that we intake is divided into 2 main parts

1. Nutrients
2. Stool, urine (and sweat)

Production of blood is the responsibility of bone marrow, spleen and liver. This blood carries nutrients which are distributed to every part of the body by the heart.

What remains after the nutrients are extracted from the food is released by the body in the form of stool and urine.

These wastes must not stay in the body for long periods and must be eliminated regularly.

Essentially the physical body is just formed of the above three that we discussed. Dhatu, doshas and mala. The biological tissues, biological energies and the waste.

Mind

As per Ayurveda our mind has 3 qualities, namely:

Sattva

the quality of pure consciousness, purity.

Rajas

The quality of intelligence and leadership.

Tamas

The quality of ignorance and negativity.

Every mind has all these qualities and we need all of them to function and make decisions.

Increase in sattva does not create imbalance for the mind but an increase in rajas or tamas does.

You might be wondering why would an increase in intelligence be a problem? me too :)

The teacher told us that too much intelligence can create ego and lead to destruction.

Too much increase in tamas is of course not good as it makes you ignorant, lazy and dull and sometimes mental disorders.

Any food we consume can also be classified into sattvic, rajasic and tamasic.

If you eat a lot of tamasic food, you may suffer from lethargy, get tired easily, feel low, dull or depressed etc.. These foods are essentially heavy for the body. e.g. stale food, alcohol, fried food, processed foods etc.

If you eat too much rajasic food, you may feel more energetic, active, dominant etc. These foods are essentially stimulating e.g. spices, coffee, tea, chocolates, chillies, etc.

Sattvic food is light on the body and eating more sattvic food doesn’t create any imbalance as stated earlier. These foods are essentially light for the body. e.g. organic rice, milk, sprouts, fresh vegetables and fruits etc.

People who are on a spiritual path are recommended to be on a sattvic diet.

Note: The examples I have given above may be inaccurate. e.g. I have seen many people say that garlic and alcohol are rajasic.

Conclusion

I think Ayurveda picks up the most important aspects of a healthy human being which not only include physical aspects like healthy and nourished tissues and organs but also mental aspects. It emphasizes greatly on balance and identifying imbalance as the cause of disease. Hence, an approach to fix the imbalance is used instead of fixing the symptoms of the disease.

Ayurveda also claims that food we eat has great effect on our mind and behavior.

Again I would like to state at the end what health is as per Ayurveda:

• Balanced biological energies (sama dosha)
• Balanced digestive fire (sama agni)
• Nourished tissues( sama dhatu )
• Regular elimination of stool, sweat and urine( mala kriyaaha )
• A happy soul( prasanna atma )
• Elated senses( indriya )
• Cheerful mind( manaha )

An asana is what is steady and pleasant. — Yoga Sutras II.46

For anyone who is new to yoga, I have compiled a few important foundational concepts from my own experience. If you have never done yoga and are planning to give it a try, this should help you understand what yoga is all about. This may also be helpful for you, if your only experience is a few yoga classes in a nearby studio or gym.
It is important to understand, that yoga is an enormous field of study and we are focussing mainly on the physical aspect, which we call the Asana practice. A yoga practice even if it is just the Asana practice is never merely a physical exercise. It is a lot more, and realizing this may take some time for you, which is totally fine.
The greatest thing about yoga is that it is inclusive. Yoga is for everyone and yoga has a lot to offer. It doesn’t matter if you are young or old, under or overweight, fair or dark, small or big, mentally or physically challenged, gay or straight, poor or rich, absolutely anybody can adopt yoga in their life.

Breathing

No Breath, No Life.

Breathing is the most important part of a yoga practice and apparently Life as well. Breath is equivalent to ‘prana’, the life energy. So the first thing you need to learn is how to breathe. Every movement that we do in yoga is combined with an inhale or exhale.

The most basic thing to learn and also very difficult to master is to align breath with movement.

For a beginner I would suggest spending time on focussing on your breathing. Make it a habit to bring your attention back to breathing in your day to day life. e.g. take a few deep breaths often during your work hours. Make it a habit to observe the quality of your breathing while brushing, cooking, before sleep, while watching TV etc. as often as you can. Make sure you always breathe through your nose.
During your own yoga practice, start with deep breathing and focus on it. Bring your attention back if you lose it. Starting with movements where you can easily align with breathing also helps and sets you up for the session.

Tight Muscles

If you have a desk job like me and and you are not a dancer or a gymnast, it is very likely that you have tight muscles, specially the hamstrings, shoulders, neck and also a bunch of muscles in the hip region.
Even if you are very active and do regular weight training or cardiovascular exercises you may face this tightness in the muscles. Unless, you spend some time stretching your muscles. The modern fitness routines focus on strengthening the muscles with repeated compression but many times they ignore that stretching and extending the muscles is equally important.

First of all, recognize that you have tight muscles and start working on them. It takes time to build muscle flexibility and I am talking about months and years. You will need patience.
The good part is, that doing regular yoga practice will help you build this flexibility and slowly open up your hips, shoulders, neck and hamstring muscles.

If you feel restricted in certain asanas like forward bending or twisting positions, don’t force yourself.
Accept your body and touch your boundaries every day. Slowly you will make it.

Anatomy

We are all made different.

Some of us are more flexible than others. Some have longer or shorter legs, some have a long neck, some have short arms, some have uneven limbs, some have scoliosis, some have different bone structure and the list is long. The point I want to make is that many times due to different bone structures or body types you may not be able to do things the same way as most people. This should not put you down.

Yoga is not about coming in a perfect position which is aesthetically appealing. It is a journey where you learn more about yourself and your body.

Focus on the essence of the Asana rather than coming into an elegant perfect position. It is ok to bend your knees in Downward facing dog as an example, as long as you are trying to make one straight line from your hands to your hips.

The Spine and Core

The Spine is one of the most important part of our body.

A healthy strong and flexible spine is more important than anything that you might be aiming today as your health goal.

Core is the center of strength in the body. In yoga, we focus on our core and derive strength from it for most asanas.

Working on both the spine and core can help you fix your posture and body alignment.
Moreover, most advanced yoga positions can be more easily performed if you have a strong core and a flexible spine.

As a beginner it is important to understand this fundamental and spend a lot of time on building core strength and spinal flexibility before you start trying advanced yoga positions.

Also, stop leaning on your desk.

Inner practice

Guided by a teacher in a group, a YouTube video or a personal practice alone, it doesn’t matter. Yoga is an internal practice. The teacher is a voice, a guide for you but the journey is your own. When you are practicing yoga try to be present. Your thoughts will wander, but bring them back. Use your breath, focus on it.

Breath is your ultimate guide and source of all your energy and strength.

Surrender

This may not apply to you or maybe it does to everyone.

“Surrender yourself. Let go”.

Many of you may not understand this, but I will still try to explain it.

Let’s do a small exercise:
Right now, at this very moment, observe your shoulders, your neck, your eyes, your face and maybe slowly your entire body.
Are you straining any muscles that you don’t really need to? Were you aware you are engaging these muscles?

Let go, release those muscles.

In your yoga practice, if you observe, you will also see that many times you are engaging muscles that you really don’t need to and good teachers always guide you to release them. Take the opportunity in resting positions like child’s pose and Shavasana(Corpse pose) to really let go and release all tension. Try to slowly develop this feeling of surrender. This not only applies to your muscles but your mind.
Yoga will slowly teach you to release and let go your emotions, feelings and thoughts that you are holding on to for no reason.

Yoga will teach you to live in the present.

Pain

Ideally there should never be any pain during your yoga practice. I think we all can differentiate pain from discomfort and sore muscles.

In your practice, if at anytime you feel pain, come out of the position.

I hope this will help you build a better yoga practice for yourself.
All the best in your yoga journey.

Namaste 🙏

The Beginning

I took my first real Yoga class (by Jasmin at Body + Soul) in May this year. Thanks to my partner, who inspired me to try it out. To be honest, it was not the right choice as the language of instruction was German and it was a Jivamukti medium/advanced class. Even though the conditions were not optimal for a beginner, it did give me a taste of it. Soon after, I took a few English classes (by Jodie and Daisy at Roni’s yoga studio) and started enjoying them so much that I started skipping my functional training classes to do Yoga. Today, it has come to it that I only do Yoga as a fitness activity (Not saying that this is the right choice though 😊).

Taking a few Yoga sessions in a studio nearby was enough to get me started and interested. I wanted to learn more and I did ask myself “why didn’t I do this earlier?”.

The Key Elements

There was something about Yoga that pulled me towards it. I came back happy and energized from my classes and went back for more. It made me feel more connected to myself and others. I felt there is a dimension of my existence that I have been totally ignoring until today.

Working together with breathing, focus, balance and strength can do wonders for your mind and body.

In the class you not only work with your body but also with your inner strength.

Yoga works not only on your body, but your mind and if you go deeper, your soul.

I started believing, Yoga can change my life.

The Challenge

Yoga can be challenging especially if you start with drop-in classes, when you don’t even know the name of the Asanas (Postures). There are a lot of basics, theory and technical details to know and learn. Detailed instructions from a good teacher are nice but still not enough to practice and do well in my opinion.

I struggled and I was also not sure if I am doing things correctly.

I started watching yotube videos from Tim Senesi(Recomended!!) and also started referring to ‘Light on Yoga by BKS Iyengar’ for information on postures and alignment. Soon I realized that there is so much to learn and I have not even scratched the surface.

I can say without any doubt that in the beginning, most of my basic postures were not even close to how they should be. I was not breathing correctly or let’s say, I didn’t know how to breath. I was not standing correctly and I was not engaging the right muscles. I didn’t even know what it really means to engage the core.

Lucky trip to Bali

I traveled to Bali in the mid of June and luckily attended a yoga class (by Raldo at Yoga Saraswati in Ubud. I really enjoyed his class and after chatting with him I discovered that he recently completed his yoga training in Rishikesh.

I think it was June 21, International yoga day when I first started to think about doing the yoga teacher training myself.

Hungry to learn

After my vacation in Bali I was hungry to learn more, and attending a drop-in session 2–3 times a week was not enough to make any real progress. I was always unsure of what I was doing in the class (and rightly so). I convinced myself that I need a push, an intensive training, to really get started. The idea of going to a school and learning all about yoga, all day, was a very attractive idea to me and I started looking at my options.

Yoga Teacher training in Rishikesh

Looking for a yoga teacher training online is a difficult task. There are hundreds of schools in Rishikesh and they all claim to be the best HAHA! . I eventually decided to go to the same school as Raldo to be on the safe side. Thanks to my teammates and my Manager to approve my 5 weeks vacation, I spent the whole of August learning yoga in India at Rishikesh YTTC.

I am Grateful

I learned a lot in Rishikesh and I will write soon about my experience there.

Hailing from the yoga motherland, I wish I got real yoga training in my childhood. I believe yoga is more important than a lot of subjects that I studied in my school.

I am grateful to all the yoga teachers and ambassadors for spreading yoga to each and every corner of this World.

“The tree is still spreading. The winds of yoga are blowing everywhere.” -B.K.S Iyengar

Introduction

Organizations store sensitive, personal and valuable data, which must be protected. Leakage of such data can lead to financial loss, reputation risk, legal ramifications and more.

Moreover, organizations must comply with data protection standards and regulations like the PCI DSS, GDPR, HIPAA, etc.

In this blog you will learn what measures organizations take to protect their data, how they implement them, understand their challenges and find out how HashiCorp Vault helps organizations solve these challenges.

Data Protection Measures and Implementation

Encryption at Rest

Transparent Data Encryption (TDE) and Full Disk Encryption (FDE)

Most organizations implement some sort of encryption at rest. Information is encrypted at the block level in the filesystem or physical storage medium. This type of encryption does protect you from physical theft but does not protect you if access to a database or database host is compromised, as an example.

Encryption in Transit

Information is encrypted in-flight and decrypted by software when required. Information is persisted in an encrypted manner. This type of encryption works well against threats such as SQL injection. Even if the data is compromised, it is encrypted and not useful.

Tokenization

Ultra-sensitive information, such as credit card numbers are commonly protected using tokenization where sensitive data is substituted by non-sensitive data called the token.

Format Preserving Encryption & Data Masking

Information is obfuscated in such a way that it is compliant with data constraints in systems of record and decoded as needed.

Data masking is another way to obfuscate information. In this case though, the data is masked and cannot be decoded once it’s encoded.

Hardware Security Module (HSM)

Many organizations use FIPS 140–2-certified Hardware Security Modules or HSMs to ensure that critical security parameters are protected in a compliant manner.

Data Protection Challenges

Data in most applications must be encrypted, but deploying cryptography and key management infrastructure is expensive, hard to develop against, and not cloud or multi data-center friendly.

Increasing Costs

Procuring and deploying new key management infrastructure, HSMs and support can be expensive.

Vault can help reduce hardware costs related to multiple key management infrastructure solutions, HSMs, licensing and support.

Reduced Productivity

With multiple workflows/APIs to learn cryptographic standards across an organization and different projects and restricted access to HSMs.

With Vault, you can create consistent workflows and cryptographic standards across your organization.

Increasing Risk

With multiple attack surfaces to intercept and steal sensitive data.

Vault enables you to encrypt sensitive data using centrally managed, audited and secured encryption keys. But more importantly all of this can be achieved through a single workflow and APIs.

Data Protection Perspectives

We have different personas and decision makers responsible for data protection rollout and implementation in every organization and they all have different goals and expectations.

CISO and the security teams

A CISO and the security teams must ensure that the organization and the applications are compliant and audited. They are responsible for security after all and hence, they want to reduce risk by having more control and transparency.

CTO and IT Managers

The CTO and IT Managers are more focused on the cost and productivity of the implementation. They must ensure that they use and build standards and those are consistent across the organization. They are also responsible for time to market. Hence, it is also in their interest to enable their developers by offering them the right tools and processes.

Developers

Developers love and expect APIs, ease of use and simplicity.

Vault and Data Protection

Encryption as a Service

Vault’s transit secrets engine provides Encryption as a Service (EaaS). Vault manages the keys, but the client decides where to store the encrypted data. Applications use Vault APIs to encrypt and decrypt values.

Here is some sample code to enable and use the transit secret engine:

Format-Preserving Encryption

Vault’s transform secrets engine provides AES FF3–1 Format-Preserving Encryption (FPE). Vault manages keys and the client decides format & storage for data. Applications can encode and decode values using the Vault API.

Here is some sample code to enable and use the transform secret engine with FPE:

Data Masking

The Transform secrets engine provides Data Masking. Vault basically searches and replaces PII data that you pattern match for (Credit Card, SSN, Passport, etc). Applications can encode or mask the values using the Vault API. Decoding is not possible with data masking.

Here is some sample code to enable and use the Transform secret engine with data masking:

KMIP and HSM Integration

You can also use Vault with traditional application and storage systems using KMIP and integrate with HSMs to maintain compliance.

KMIP

Vault supports Key Management Interoperability Protocol and can present itself as a KMIP Server to systems e.g. NetApp, VMware, MySQL etc.

HSM

Vault supports integration with any HSM that supports PKCS #11.

Multi-tenancy

Vault offers namespaces and can also instantiate multiple KMIP Servers.

Full Disk Encryption (FDE)

Storage systems that support the KMIP protocol can retrieve keys stored in Vault and serve them to encrypted disk for access.

Transparent Data Encryption (TDE)

KMIP capable database applications can retrieve keys stored in Vault and serve them encrypted data.

NetApp & VMware

If you are interested in the integration with NetApp or VMware, checkout these blog posts:

1. HashiCorp Vault as an External Key Manager for NetApp Encryption
2. Securing VMWare Data: A HashiCorp Vault KMIP Story

Summary

1. Vault provides the foundation for cloud security.
2. Vault offers advanced data protection features like EaaS, FPE & Data-masking along with KMIP & HSM integration.
3. Vault increases agility for deploying new and isolated cryptography and at the same time reduces cost and risk.

Advanced Data Protection with HashiCorp Vault was originally published in HashiCorp Solutions Engineering Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

Introduction

All traditional solutions for a KMIP based external key manager are either hardware-based, costly, inflexible, or not scalable. HashiCorp’s Vault Enterprise on the other hand can be used as a flexible, very cost-effective, and scalable external key manager solution. It is certified by NetApp, supports the OASIS KMIP protocol, and integrates with any PKCS #11 compliant HSM.

NetApp Encryption

NetApp offers state of the art secure data management, file-shares, backup, recovery, replication and disaster recovery solutions to a large number of enterprises all around the globe. The NetApp ONTAP system, which is one of the most popular storage operating system in the world, offers FIPS compliant encryption technology that also supports the OASIS KMIP protocol.

NetApp Storage Encryption (NSE) is NetApp’s implementation of Full Disk Encryption while NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE) are software-based, data-at-rest encryption solutions, available in NetApp ONTAP based systems. Although NetApp does offer an onboard key manager, most enterprises must use an external key manager for compliance reasons as the keys must be stored outside of the storage system.

Vault as an External Key Manager for NetApp

HashiCorp Vault is the de-facto standard for managing secrets in multi-cloud and hybrid enterprise environments. It is a simple, modern, scalable and highly automatable solution for management of all kinds of sensitive and secret data including passwords, keys, certificates, and encryption keys. One of the latest enterprise capabilities of Vault is a KMIP Secrets Engine which is the best solution for external key manager requirements for enterprise storage systems like NetApp ONTAP. Moreover, Vault can be integrated with an HSM for master key wrapping and auto unsealing.

Note: the KMIP and HSM features are Vault Enterprise features.

Certified: Vault is validated, supported and certified for use by NetApp. Vault complies with the OASIS KMIP standard.

Secure Multi-tenancy: Isolate different tenant environments for security and compliance. Different teams and departments can work independently of each other and have access to only their own keys and systems.

HSM Support: Vault supports integration with any HSM that supports PKCS #11. Most hardware-based KMIP Servers only support specific HSMs.

Flexibility: Most key managers are hardware devices and difficult to procure, manage and maintain. Vault gives you more flexibility as it is distributed as a binary and can be deployed on multiple Platforms.

Cost and Efficiency: One deployment of Vault can create multiple independent KMIP servers. Save time and cost as you don’t need to buy and manage hardware devices for each department.

Management: Vault is easy to manage and use, as it offers Web UI, CLI, and HTTP API interfaces.

High Availability: Built-in High Availability using Consul as the storage back-end. Using Consul also provides automated registration, tagging, and health checks for Vault services within Consul.

Disaster Recovery: Built-in multi-datacenter replication for horizontal scalability and disaster recovery use-cases.

Audit Logging: With Vault’s audit log, monitoring secret access across multiple environments and clouds is easy and automated.

Future-proof: Vault comes power packed with multiple integrations like AWS, Azure, GCP, Kubernetes, Databases, and more. One Central service for secret and certificate management, cryptographic and advanced data protection needs.

Deployment

Vault is deployed in a High Availability configuration on physical/virtualized cloud/on-premise environments. In an Enterprise setup, Vault uses Consul as a Storage Backend. Apart from Storage, Consul also offers automated registration, tagging and health checks for Vault services. One Vault instance acts as the Active server while the rest run as Performance Standbys in this enterprise setup. A Load Balancer is used to distribute traffic among the Vault nodes. In the case of integration with NetApp, Vault acts as one or more independent KMIP Servers. NetApp systems talk to Vault using the KMIP protocol.

A KMIP server can be set up on Vault in 3 steps as shown below:

1. Enable and configure the KMIP secrets engine

$ vault secrets enable kmip
$ vault write kmip/config listen_addrs=0.0.0.0:5696

2. Configure KMIP scope, permissions, to be used by the NetApp system

$ vault write -f kmip/scope/scope1
$ vault write kmip/scope/scope1/role/role1 operation_all=true

3. Generate a Certificate for authentication against KMIP server

$ vault write -f -field=certificate \
   kmip/scope/scope1/role/role1/credential/generate > kmip-cert.pem  

$ cat kmip-cert.pem

That’s it! Once KMIP is enabled and setup you can continue the setup on the NetApp system.

Note: all NetApp sample commands below are based on ONTAP version 9.6. For other versions and detailed information click here)

1. Installing certificates on the NetApp system

Install the SSL KMIP client certificates for the cluster:

cluster1::> security certificate install -vserver cluster1 -type client -subtype kmip-cert

You are prompted to enter the SSL KMIP public and private certificates.

Install the SSL public certificate for the root certificate authority (CA) of the KMIP server:

cluster1::> security certificate install -vserver cluster1 -type server-ca -subtype kmip-cert

2. Configure key manager connectivity on the NetApp System

Use A, B, or C below depending on your encryption requirements.

A. Enable external key manager for hardware based encryption:

clusterl::> security key-manager external enable -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert

B. Enable external key manager for cluster-wide software based encryption:

clusterl::> security key-manager external enable -vserver cluster1 -key-servers ks1.local:15696,10.0.0.10,[fd20:8b1e:b255:814e:32bd:f35c:832c:5a09]:1234 -client-cert AdminVserverClientCert -server-ca-certs AdminVserverServerCaCert

C. Enable external key manager for SVM scoped software based encryption:

svm1l::> security key-manager external enable -vserver svm1 -key-servers keyserver.svm1.com -client-cert SVM1ClientCert -server-ca-certs SVM1ServerCaCert

Verify that all configured KMIP servers are connected

>security key-manager external show-status

Enabling encryption on aggregates and volumes

1. Create an aggregate with encryption enabled, NAE:

>storage aggregate create -aggregate aggregate_name -node node_name -encrypt-with-aggr-key true

Volumes created on NAE enabled aggregates will be encrypted by default:

>volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name

2. Create a volume with encryption enabled, NVE:

>volume create -vserver SVM_name -volume volume_name -aggregate aggregate_name -encrypt true

HSM integration

Vault can be integrated with an HSM device (with PKCS #11 support) if required for master key wrapping and Vault unsealing. More details can be found here.

Summary

When using HashiCorp Vault Enterprise as an external key manager for NetApp Encryption, organizations can save money, time, and resources. Vault is fully software-based and scalable and offers multiple integrations including for public clouds. It offers great automation capabilities which reduce risks.

Resources and links

1. NetApp Storage Encryption
2. NetApp Volume Encryption and NetApp Aggregate Encryption
3. HashiCorp Vault landing page
4. Vault KMIP secrets engine
5. Vault and HSM Integration
6. Vault Reference Architecture
7. Vault Enterprise Offerings and OSS Comparison
8. White-paper on Unlocking the Cloud Operating Model: Security
9. NetApp ONTAP External Key Manager Configuration Guide

HashiCorp Vault as an External Key Manager for NetApp Encryption was originally published in HashiCorp Solutions Engineering Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.