Simple Introduction to HashiCorp Vault

Simple Introduction to HashiCorp Vault

Need of Vault.

When you have multiple services/applications and tools stack in your application or infra architecture, the connection between the services/application should be authenticated. For which, you need either an API key or Passwords or Certificates or Signature or any form of credentials that need to be secured properly. But Where do you store your Secrets? How do you manage those in terms of Secret storage, Audit, Rotations, Revocations, and more? Here Vault helps with managing the secrets with its advanced features. So this article will give you the Simple Introduction to HashiCorp Vault.

What is Vault?

Vault in the Software tool which is used for securely storing and accessing secrets such as passwords, API Tokens, Certificates, Signatures and more in the centralized server. A typical Vault should have the features like Data Encryption, Secret storage, Leasing, Renewal, Revocation, and On-Demand Secrets. HashicCorp Vault is one such tool that provides all the mentioned fundamental features along with more useful security features. This article will give you a Simple Introduction to HashiCorp Vault and we will discuss what is HashiCorp Vault and the architecture of the same.

Basic Features of Vault.

As We discussed in the introduction, A Typical Vault should have the following features to meet the modern security standards.

  • Data Encryption – Data Encryption is the basic feature that will encrypt and decrypt the data that are stored in the Vault. This will allow the Security Team to configure How the Data be encrypted and stored or in some cases, it will allow the team to create their own encryption method.
  • Secret Storage – Vault should support storage types like key/value pair or Cryptographic keys or Dynamically generated credentials. By Default, Vault will encrypt the data before it writes into the persistent storage.
  • Leasing and Renewal – Secrets stored in the Vault will be bounde3d with lease and Vault should manage the lease time and revoke or renew automatically or by manually by the security team/users.
  • On-Demand Secrets – On-Demand Secrets are nothing but Dynamic Secrets. That means when a system is integrated and configured with a vault to serve credentials. Then, whenever the system needs credentials, Vault will generate the credentials only to authenticate the system’s need and revoke it.

Basic Architecture of Vault

Basically, there are three main blocks in the Vault Architecture,

  • Storage Backend
  • HTTP API Servers
  • Core Secret Engine Services.
HashiCorp Vault Architecture
HashiCorp Vault Architecture

Storage Backend is to store the encrypted data from Vault. This can be configured while starting the vault server.HTTP API Server is to communicate between end-user and the Core Secret Engine Components like Audit System, Secret Engine, Auth and Token System and more.

Core Secret Engine Services are the unites that make the Vault functional, mainly with Audit System, Secret Engine, Auth and Token System.

In this Audit System is will manage audit logs that will carry all the requests and responses in this system.

Auth and Token System will ensure to authenticate the users or applications integrated with the Vault system. Similarly, Token is just like the browser session cookie which will manage the duration and authenticity of the user session with the vault.

Secret Engine will manage the secrets. Like Managing the Secret policy, Storage method, Revocation updates, Leasing & Renewal, and more. Simply Secret Manager is the core of the Vault.

The Barrier is the shield gate of the vault. All the Core Secret Engine Components are secured under the Barrier and only HTTP API Server and Backend Storage will be left outside the barrier. This Barrier ensures that all the data stored in the Vault is encrypted and protected.

Whenever we start the vault service, it will generate an encryption key that will protect all the data stored in the vault. Then, this Encryption Key will be protected by the Master key and then it will split the master key into 5 share keys. These are to reconstruct the Master key and for the same, we need at least 3 keys to reconstruct. This is based on Shamir’s secret sharing algorithm. This process is called Sealing. Shamir’s algorithm can be disabled, and the master key can be used directly while initiating the Vault server.

Conclusion

In this article, we have discussed the Simple Introduction to HashiCorp Vault with the architecture diagram and explanations. HashiCorp Vault can be installed as a server and we can host the Vault service on our own premises to ensure security privacy. So, In our next article, we will discuss how to Install and configure the HashiCorp Vault in various Operating Systems. Then we will discuss some Case studies to utilize the Vault in our project. Stay tuned and subscribe DigitalVarys for more articles and study materials on DevOpsAgileDevSecOps, and App Development.

Leave a Reply