What is HashiCorp Vault and why should you know about it?
Vault is an open-source secrets management tool used to automate access to secrets, data, and systems.
This blog post comes from our Explained in 180 Seconds series on YouTube. If you prefer watching videos over reading, here you go:
First released in April 2015 by HashiCorp, it’s undergone many version releases to support securely storing and controlling access to tokens, passwords, certificates, and encryption keys.
Common Vault Use Cases
Vault can be used to protect sensitive data via the Command Line Interface, HTTP API calls, or even a User Interface.
It’s commonly used with cloud platforms like Azure, Google Cloud, and AWS, but it can be used with many other types of services that we’ll learn about in this post.
In fact, its most common use cases are:
- General secret storage
- Employee credential storage
- API key generation for scripts
- Data encryption
At its core, it’s really just open-source software that anyone can download and install.
Getting Started with Vault
Once installed, you can start a Vault server. Vault operates as a client-server application which means that the server client interacts with a backend over a TLS-encrypted connection to access data storage.
Once the server is running, you can use a Vault client to retrieve stored secrets by using the Vault server’s IP address & port, as well as a Vault token.
vault status
From there, you can do a lot:
vault kv -help
Whenever you need to create a new secret, for example, you can do that like this:
vault kv put -mount=secret hello foo=world
…at which point that data is then stored encrypted in the backend, and the backend can’t decrypt that data without the Vault server, meaning that an attacker would have to gain access to your Vault server to be able to decrypt the data.
You can then retrieve that secret like this:
vault kv get -mount=secret hello
Code language: JavaScript (javascript)
This is an example of using key/value secrets, but Vault can do much more than that. It can also connect to other services and provide encryption as a service.
Secrets Engines Supported by Vault
You can view all of the supported Secrets Engines in their documentation, but some notable ones are:
- Cloud providers
- Kubernetes
- Databases
- SSH
- Time-Based One-Time Passwords
- Etc…
You can think of these as plugins that you enable or disable depending on what you need Vault for.
vault secrets enable -path=aws aws
vault secrets list
Code language: PHP (php)
Dynamic Secrets in Vault
An added benefit of Vault is that it enables creating “Dynamic Secrets.”
With key/value pair, we’re storing static secrets like a username & password. What about secrets that should constantly change?
With Dynamic Secrets, the secrets only get created as they’re being read, and then destroyed once they’ve been used.
We could do this for cloud-based access.
Or, as another example, we could use this for database access.
Traditionally, developers have to generate a static set of database credentials, and then they set those credentials as environment variables or they write them statically in configuration files.
Applications can instead ask Vault for database credentials, and those credentials will have a Time to Live (TTL) so they expire after a certain amount of time. The application can continue using those credentials until they expire, and then Vault will generate new ones.
Authentication Methods Supported by Vault
And before you ask…instead of having to use yet another authentication source for managing access to Vault, you can use one of many Auth Methods supported by Vault that you can see here, including:
- Cloud providers
- JSON Web Tokens (JWT)
- Kerberos and LDAP
- Kubernetes
- Username & Password
- Etc…
That way, you can delegate the authentication administration and decision to an external auth method that you already use in your organization or development process.
Using Vault
Once you’ve set up your Vault server and it’s running, you can access it via the CLI like I’ve shown in this video, or you can access it via the REST HTTP APIs, which is usually what the CLI is doing anyway.
You can also use a Web User Interface (UI) though, to manage many different aspects of Vault.
Summary & Cheat Sheet
So overall, Vault is a secure storage system that provides users with a safe and convenient way to store sensitive information. It offers storing encrypted data and multiple layers of authentication to ensure a high level of security, making it an ideal solution for businesses and individuals.
If you enjoyed this post, check out our YouTube series for more like this. I’m also curious to hear if you’re using any other sort of secrets management tool or if you plan on trying out Vault after reading this article, so leave a comment below with your thoughts!
We also published a HashiCorp Vault cheat sheet that you can download here.
Thanks for reading, and see you next time.
Responses