As many organizations migrate to the public cloud, a major concern has been how to best secure data, preventing it from unauthorized access or exfiltration.
In this post, we’ll offer a high-level overview of what HashiCorp Vault is and share a few use cases — illustrating how it’s an essential DevOps tool for your organization’s cloud security.
What is HashiCorp Vault?
HashiCorp Vault is designed to help organizations manage access to secrets and transmit them safely within an organization. Secrets are defined as any form of sensitive credentials that need to be tightly controlled and monitored and can be used to unlock sensitive information. Secrets could be in the form of passwords, API keys, SSH keys, RSA tokens, or OTP.
HashiCorp Vault makes it very easy to control and manage access by providing you with a unilateral interface to manage every secret in your infrastructure. Not only that, you can also create detailed audit logs and keep track of who accessed what.
How does HashiCorp Vault work?
HashiCorp Vault is a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment. It can be used to store sensitive values and at the same time dynamically generate access for specific services/applications on lease. Plus, Vault can be used to authenticate users (machines or humans) to make sure they’re authorized to access a particular file.
Authentication can either be via passwords or using dynamic values to generate temporary tokens that allow you to access a particular path. Policies written using HashiCorp Configuration Language (HCL) are used to determine who gets what access.
Now that we’ve looked into what HashiCorp Vault is, let’s review some of the things it’s used for.
What is HashiCorp Vault used for?
HashiCorp Vault can be used in different ways; we’ve highlighted some of the main use cases below.
HashiCorp Vault can be used to store any type of secrets, including sensitive environment variables, database credentials, API keys, and more, giving users control over who has access and who does not. Using Vault allows you to take full control of any sensitive credentials with the ability to rotate and revoke access at any time.
With HashiCorp Vault, you can rest assured that your credentials are secure, compared to storing plaintext files in your configuration management (for example).
Instead of storing plaintext files for all the world to see, you can have your application query vault read or the HashiCorp API, which protects the plaintext versions of those files.
Secrets are also easy to rotate and revoke; if an employee leaves your organization, you can easily and securely revoke their access.
HashiCorp Vault uses identity-based access to broker access to systems and secrets. When it comes to authenticating via identity, there are two major actors: humans and machines.
Managing access for humans is done through role-based access control (RBAC), granting permission and restricting access to either create and manage secrets or manage other users' access based on the secret value they are logged in with.
Managing access for machines on the other hand involves providing access to different servers or secrets. With the dynamic nature of HashiCorp Vault, you can create secrets that work temporarily and revoke access in the event of a breach. You can generate secrets on-demand for a particular system like Sensu, AWS, or Consul and generate a key pair with valid permission. After usage, the dynamic secrets generated will be automatically revoked.
Vault provides “encryption as a service,” encrypting data in transit (with TLS) and at rest (using AES 256-bit CBC encryption). This protects sensitive data from unauthorized access in two major ways: as it travels across your network as well as in storage in your cloud and datacenters.
With centralized key management, it’s straightforward to update and roll out new keys across distributed infrastructure.
Next steps + further learning
Deploying HashiCorp Vault is a great way to streamline secrets management, improving security without hindering CI/CD workflows. For further learning on Vault, you can visit the HashiCorp documentation and tutorials. To learn more about secret management tools (like HashiCorp Vault) to improve monitoring and visibility, check out our HashiCorp Vault tutorial highlighting the Sensu Vault integration, as well as this post from Sensu CEO Caleb Hailey:
FAQs + resources
How much does HashiCorp Vault cost?
HashiCorp Vault is a free and open source product with an enterprise offering. The enterprise platform includes disaster recovery, namespaces, and monitoring, as well as features for scale and governance. You can see the full breakdown of features on the Hashicorp Vault pricing page.
How do I set up Hashicorp Vault?
Here are the steps to install and configure HashiCorp Vault, as laid out in their deployment guide:
- Download Vault
- Install Vault
- Configure systemd
- Configure Consul
- Configure Vault
- Start Vault
How do I access the Vault UI?
You can access the Hashicorp Vault web UI by starting the Vault server in dev mode with vault server -dev and navigating to http://127.0.0.1:8200/ui in your browser. Check out their documentation for more tips on getting started.
Is HashiCorp Vault secure?
Using HashiCorp Vault for secrets management is certainly more secure than placing plaintext secrets in your configurations. In accordance with industry best practices for data encryption, HashiCorp Vault utilizes both TLS for data in transit and AES 256-bit encryption for data at rest.