How to Use Vault secure storage passwords and API keys

How to Use Vault secure storage passwords and API keys

Vault is a secure tool for obtaining confidential information. It can store information such as passwords, API keys, and certificates. Vault provides a unified interface to access secret information. It has a robust access control mechanism and rich Event Logs.

It is difficult to authorize access to key information, especially when many user roles and users request different key information, such as logging on to the database with different permissions, API keys used for external services, certificates for SOA communications, and so on. When the confidential information is managed by different platforms and some custom configurations are used, the situation becomes worse. Therefore, it is almost impossible to store and manage audit logs securely. However, Vault provides a solution for this complex situation.

 

Highlights

Data Encryption: The Vault can encrypt and decrypt data without storing data. Developers can store encrypted data without developing their own encryption technologies. Vault also allows the security team to customize security parameters.

Secure Password Storage: Vault encrypts data before Storing confidential information (API keys, passwords, and certificates) to persistent storage. Therefore, it makes no sense if someone occasionally obtains the stored data, unless the encrypted information can be decrypted.

Dynamic Password: The Vault can generate a password for similar systems such as AWS and SQL databases at any time. For example, if an application needs to access an AWS S3 bucket and it requests an AWS key pair from the Vault, the Vault will provide the secret information required for the lease period. Once the lease period expires, this confidential information will not be stored.

Lease and update: The secret information provided by Vault carries the lease period. Once the lease period expires, it immediately revokes the secret information. If the application still needs the secret information, you can update the lease period through the API.

Undo: Before the lease term expires, Vault can undo a secret information or a secret information tree.

 

Install Vault

There are two ways to install and use the Vault.

1. The pre-compiled Vault binary can be used for all Linux distributions. Download the binary file, decompress it, and place it in the system PATH for convenient calling.

• Download pre-compiled binary Vault (32-bit)
• Download pre-compiled binary Vault (64-bit)
• Download pre-compiled binary Vault (ARM)

Download the pre-compiled binary version of the Vault.

Decompress the package to the Local Binary version.

Congratulations! You can use Vault now.

2. source code compilation is another way to install the Vault in the system. Install GO and GIT before installing Vault.

Install GO in the RedHat system using the following command:

1. sudo yum install go

Install GO in the Debin system and run the following command:

1. sudo apt-get install golang

Or

1. sudo add-apt-repository ppa:gophers/go
2. sudo apt-get update
3. sudo apt-get install golang-stable

Install git in the Redhat system and run the following command:

1. sudo yum install git

Install GIT in the Debian system and run the following command:

1. sudo apt-get install git

Once both GO and GIT have been installed, we can start to compile and install the Vault from the source code.

Copy the following Vault to GOPATH

1. https://github.com/hashicorp/vault

Test whether the following file exists. If it does not exist, the Vault is not cloned to a proper path.

1. $GOPATH/src/github.com/hashicorp/vault/main.go

Execute the following command to compile the Vault and put the binary file under the bin directory of the system.

1. make dev

 

A Vault getting started tutorial

We have compiled an official interactive Vault tutorial with its output information on SSH.

Overview

This tutorial includes the following steps:

• Initialize and open your Vault
• Authorize your request in Vault
• Read/write secret information
• Seal your Vault

 

Initialize your Vault

First, we need to initialize a Vault instance for you. You can configure the Vault seal during initialization. For the sake of simplicity, use an open key to initialize the Vault. The command is as follows:

1. vault init -key-shares=1-key-threshold=1

You will notice that Vault outputs several keys here. Do not clear your terminal. These keys will be used in subsequent steps.

 

Open your Vault

When a Vault server is started, it is sealed. In this state, the Vault is configured to know where the physical storage is and how to access it, but does not know how to decrypt it. Vault uses an encryption key to encrypt data. The CMK is encrypted by the "CMK" and is not saved. The Entry key is required to decrypt the CMK. In this example, an entry key is used to decrypt the CMK.

1. vault unseal <key 1>

 

Authorize your request

Before performing any operations, the connected client must be authorized. The authorization process is to check whether a person or machine has the correct identity as stated. This identity is used when sending a request to the Vault. For simplicity, we will use the root token generated in step 2. This information can be seen on the terminal rollback screen. Use a client token for authorization:

1. vault auth <root token>

 

Read/write confidential information

Now that the Vault has been set up, we can start to read and write the secret information in the secret backend mounted by default. Secret information written in the Vault is first encrypted and then written to the backend storage. The backend storage mechanism will never see unencrypted information, and there is no need for decryption outside the Vault.

1. vault write secret/hello value=world

Of course, you can read this confidential information:

1. vault read secret/hello

 

Seal your Vault

There is also an API that uses I to seal the Vault. It will discard the current encryption key and need another unlocking process to restore it. Only one operator with root permission is required for sealing. This is a typical part of a rare "Broken glass process.

In this way, if an intrusion is detected, the Vault data is immediately locked to minimize the loss. If you cannot access the master key fragment, you cannot obtain data again.

1. vault seal

This is the end of the Getting Started tutorial.

 

Summary

Vault is a very useful application that provides a reliable and secure way to store key information. In addition, it encrypts key information, maintains audit logs, and obtains secret information by lease period before storage. Once the lease period expires, it immediately recovers the secret information. Vault is platform independent and can be downloaded and installed for free. For more information about Vault, visit its official website.

This article permanently updates the link address: