Vault Associate Certification Part 2 Concepts Notes. This will be series of documents which will go through all components to achieve the certification.
Hashicorp Vault Associate Certification Concepts Part 2
1.
2.
3.
4. OVERVIEW
Overview of concepts that are important to understand for day
to day vault usage and operations.
These notes follow HashiCorp specific structure found here:
http://www.vaultproject.io/docs/concepts
I have created these notes as part of my personal learning and
hope to be able to help and inspire others.
I would recommend viewing the official vault docs to gain full
and detailed explanations.
I will be releasing interactive notebooks for all configuration
detailed in these guides .
Follow my instagram @adnans_techie_studies for updates
5. DEV SERVER MODE
COMMAND
INSECURE AND DEV VAULT SERVER DEV
LOSE DATA ON a
MODE
RESTART
v
NO FURTHER SETUP
ALLFEATURESAVAILABLE
EXPERIMENT WITHVAULT
NO NEED TO UNSEAL
ALL DATA STORED IN MEMORY
BOUND TO LOCAL ADDRESS WITHOUT TLS
AUTO AUTHENTICATE
SINGLE UNSEAL KEY
V2 KU SECRET ENGINE
6. SEAL UNSEAL
VAULTCANSEEa
VAULT starts.ws SEALED canSEE
BUT
STARTED STATE STORAGE
UNABLETODECRYPT
How
UNSEAL
t
OBTAINMASTER
KEYTO READ
DECRYPTIONKEY DECRYPT DATA
To
WHY s DATASTOREDBYVAULTIS ENCRYPTED
SHARED
NEED SHAMIR
v KEYS
ENCRYPTIONKEY To DECRYPT
Is COMBINED
50 STOREDWITH KEY
INDATA
i KEYRING
ENCRYPTEDWITH ENCRYPTED ENCRYPTED
MASTERKEY ENCRYPTEDAGAIN MASTER KEYRING
But
www
VAULTSTORAGE
UNSEALKEY
UNSEALING s VAULTOPERATORUNSEAL 012 API
SEALINGwine THROWAWAY UNSEAL
ONCEUNSEALED MASTERKEY THEN process
REMAINSUNSEALED UNLESS
THESE
CANBEDONE
BYROOT
x x x
RESEALVIAAPI SERVERRESTART VAULTSTORAGE
UNRECOVERABLE
ERROR
SEALMIGRATION
from
DELEGATETO use AUTO To
REDUCEOPERATIONAL KMSSEAL SHAMIRSEAL
SERVICE UNSEAL COMPLEXITY OF
SHAMIRSEAL s KMSSEAL
UNSEALKEYS
KMSSEAL KMSSEAL
KMS initialisation
v AND
SHAMIRKEYS CALLED
RECOVERY KEYSGENERATED REQUIRES DOWNTIME
7. LEASE RENEW AND REVOKE
DYNAMIC SECRET
AND LEASE s REVOKED NOFURTHERHas IE THEN
SERVICETYPE RENEWALHas
AVTHTOKEN r
TTL
AND
v
CHECKS WITH
VAULT REGULARLY to AUDIT LOCTS
LEASEID is
USEDTOMANAGE LEASE DURATION
LEASEOFSECRET fakes
INCREMENT
is
FROMTHETIME OF REQUEST
AND BACKEND CAN IGNOREIT
PREFIXBASED HAS
ABILITY TO REVOKE can REVOKE
REVOCATION
MULTIPLESECRETS TREE
SECRETS
IF
GITHUB INTRUSION WITHIN
0 AUTH
SPECIFICSYSTEMMETHODS s LDAP
CLIENT AppROLE
v
ENABLE
BEFORE AUTHENTICATION
USE
TOKENS first VERIFY GENERATE ASSOCIATE TOKEN
IDENTITY
THEN
USEDFor
VAULT REVOCATION AND RENEWAL
LOGIN
LEASEASSOCIATED REAUTH AFTERAGIVENPERIOD
8. TOKENS
TOKEN TOKENAUTH
STORE BACKEND
is
ROOT can Do 1
TOKENS
R FlAt L ANYTHING
RESPONSIBLE FOR
CREATINGANDSTORING
TOKENS
SETTONEVER AND
EXPIRE CANNOT BEDISABLED
EEE'm
ftp.rnLEEazfEoYofEEformT ME
GENERATE WITHPERMISSION of Quorum UNSEALKEY
SHOULDONLY BEUSED
HOLDERS
FORINITIALSETUP
OR
EMERGENCY
TOKEN SERVICETOKEN HOLDER
CREATETOKEN TYPES f
CHILDTOKEN NORMAL TOKENS
PARENT
CHILDTOKEN
REVOKES
ALL
BATCH
OR
ORPHAN TOKEN ENCRYPTED
BLOBS VAULT
ACTIONS
NOPFRENT REQUIRE
NOSTORAGE
REVOKETHETOKEN
9
TOKEN TOKEN ACCESSOR
RENEWTHETOKENh
Accessors CREATED CREATEDAND
RETURNED
N
LOOKUPTOKEN TOKENCAPABILITIES
PROPERTIES
EXAMPLE
USE ANOTHER
SERVICE service JOB ID JOBCOMPLETE
CREATES
TOKEN
STORES ACCESSOR REVOKEWHEN
AND FINISHED
9. TOKENS CONTINUED
GENERAL IF NO IT IS COMPARED TO MAX TTL
EXPLICIT TTL
TOKENS
L
MAX TTL SYSTEMMAYTTL
EXPLICIT HARD IGNORES VALUESET a
COMBINATION
32DAYS
TTL LIMIT 134AUTH v
METHOD BASEDON
MOUNT CANOVERRIDE
THESYSTEMMAX
SYSTEMS PERIODICALLY PERFORMTASK
PERIODIC LONG RUNNING 502 CONNECTION
TOKENS SERVICES POOL
OUTSIDE OFROOT ONLY OTHER WAY TO HAVE UNLIMITED LIFETIME
U
MUSTRENEW WITHIN CONFIGURED PERIOD
BOUND TO GDR
CIDR BOUND
TOKENS
RESTRICT CLIENTS WHO CAN USE
10. RESPONSE WRAPPING
REQUESTS
SERVER 7
1
NEEDS TLS
PRIVATEKEY RETURNSSINGLEUSETOKEN
CUBBYHOLE
RESPONSE
WRAPPING
L LIMIT LIFETIME
PROVIDECOVER OF
FORSECRET DETECT SECRETEXPOSURE
INFORMATION MALFEASANCE
NOT SECRET SINGLEPARTYCAN WRAPPING IS
BUTREFERENCE UNWRAPAND SEE SEPERATEFROM
SECRET
RESPONSE DOES NOT CONTAIN
WRAPPING THE SECRET
WRAPPED ACCESSOR
TOKENS u
INSTEAD 5
CREATION PATH
L v J
TTL OF
WRAPPING TOKEN CREATION
TOKEN
TIME
11. POLICIES
EVERYTHING IN VAULT IS PATHBASED AND POLICES IS NO EXCEPTION
GRANT FORBID ACCESS To CERTAIN PATHS OPERATIONS
DENY BY DEFAULT DOESNOTSTORE
DELEGATESAUTHMETHOD
I CONNECTAUTHBACKEND
LDAP
SECURITY
ADMIN TEAM
2 AUTHORVAULT
TEAM Policy
g
ya µq a
POLICY
ADOUGROUPDEV TO
READONLYDEVINVAULT
3ATTACHVAULT F
TOKEN x
O T4
1 CONNECTAUTHBACKEND POLICY
CLIENTSrUSERS
4 RETURNTOKEN 2verifycresswithAUTH
v
LDAP
SYNTAX
PATH Secret EXAMPLE
capabilities create read update delete list GRANTS ALLACCESSONSECRET
T
D
PARAMETER
PROVIDE FINE GRAINED CONTROL FINE TRAINE CONSTRAINTS
OVER PERMITTED DENIEDOPERATIONS CONTROL
REQUIRE
Set Min maxRESPONSEWRAPPING
TTLS
12. POLICIES CONTINUED
CANNOT BE REMOVED
DEFAULT
BUILT IN
POLICY
POLICIES ATTACHED TO ALL TOKENS
ROOT CANNOT BEMODIFIED ORREMOVED
POLICY
USERCANDOANYTHING
DELETINGPOLICIES a MANACTING LISTING POLICIES
Hautdelete
syspolicyltestpolicy vault read systpolicy
POLICIES
u v
UPDATING POLICIES CREATING POLICIES
vaultwritesystpolicyltestpolicy Vaultpolicywrite testpolicy testpolicyhcl
policy updated policyJson
13. HIGH AVAILABILITY MODE
HA AUTOMATICALLY ENABLED IF DATA STORE SUPPORTS 1
I
T
CHECK IF
HAAVAILABLE
NEXTTODS
0N SERVER
BOTH TRY GRAB LOCK
I
9 SUCCESSFUL ACTIVE NODE
DATA ELSE STANDBY NODE
STORE
IF STANDBYNODEGETSREQUEST FORWARD REDIRECTDEPENDINGONSTATE
REDIRECTION MODE MUST BE MET FORHA CLUSTER TO WORK
UNSEALED
SERVER TO writesInformation 1 STANDBY
SERVERCOMMUNICATION ABOUTSELF READ NODES
ACTIVE VAULT
STORAGE
NOTCOMMUNICATED OVERNETWORK
CLIENT X VAULT NO REQUEST FORWARDING
REDIRECTION
IF NONEMPTYVALVE
REDIRECTCLIENTWITH307CODETOACTIVENODE
I REDIRECTADDRESS
DIRECT
apiaddr SHOULD BETHATNODES ADDRESS
ACCESS
THISSHOULDBEAVOIDED
LOAD THELB MUSTBEAWAREOFTHEBALANCERS
ACTWELEADERORREDIRECTS WILLLOOP
14. INTEGRATED STORAGE
VAULT 1.4 INTEGRATED STORAGE
HA SEMANTICS ENTERPRISE REPLICATION BACKUPANDRESTORE
CONSENSUS PROTOCOL TO REPLICATE DATTA TO EACH SERVER IN CLUSTER
JOIN NODE USE SAME SEAL MECHANISM JOIN REPLICATE
15. PGP GPG AND KEYBASE
OPENPGP COMPATIBLE PROGRAMS
VAULT GPG a
INTEGRATION
KEYBASE IO
PREVAULT 0.3 SECUREMESSAGING
ANDUNSEALKEYSIN
FILE SHARING
PLAINTEXT
GIVENTOINITIAL
USER BAD
VAULT UNSEAL KEY DISTRIBUTION
GENERATE UNSEAL
KEYANDIMMEDIATELY e
INITIALISING WITH
PGP
ENCRYPT USING
GIVENUSERS PUBLIC
PGPKEYS IMPORT APPROPRIATE
KEYS
KEYBASE GPG
1
SIMPLE AND
KEY MANAGEMENT
16. RECOVERY MODE
AUTOMATICALLY UNSEALED ONCE RECOVERY TOKEN ISSUED
RECOVERY TOKEN OPERATIONS AND 5451RAW ENDPOINT
WON'T FORM CLUSTERS OR HANDLE REQUEST FROMSTANDBY
RAFT INTEGRATE STORAGE IS MAIN REASON
r
AUTO RESIZE CLUSTER TO 1
THEN REJOIN RAFT CLUSTER