HashiCorp is a software company based in San Francisco that provides open-source and commercial tools to provision, secure, run and connect cloud infrastructure. Vault is an open-source tool from HashiCorp that securely stores secrets and encrypts data. It tightly controls access to secrets by authenticating users and applications and authorizing access through policies. Vault stores data encrypted and uses key sharing to reconstruct an encryption key when unsealing to enable access to secrets.

1. Partner of:
@HazzimIO
Manage Secrets and Protect Sensitive Data

2. Partner of:
@HazzimIO
HashiCorp is a software company based in San Francisco, California.
HashiCorp provides open-source tools and commercial products that
enable developers, operators and security professionals to provision,
secure, run and connect cloud-computing infrastructure.
Founded in 2012 by Mitchell Hashimoto and Armon Dadgar

3. Partner of:
@HazzimIO

4. Partner of:
@HazzimIO

5. Partner of:
@HazzimIO
Vault Open Source addresses
the technical complexity of
managing secrets across
distributed cloud infrastructure
Vault Enterprise addresses the
organizational complexity of
large organizations with
governance and multi-
datacenter features

6. Partner of:
@HazzimIO
Vault tightly controls access to secrets and encryption keys by
authenticating against trusted sources of identity such as Active
Directory, LDAP, Kubernetes, CloudFoundry, and cloud platforms.
Vault enables fine grained authorization of which users and
applications are permitted access to secrets and keys
How Vault Works

7. Partner of:
@HazzimIO
Concepts

8. Partner of:
@HazzimIO
•When a Vault server is started, it starts in a sealed state.
•The only possible operations are to unseal the Vault and check the status
of the unseal.
•Unsealing is the process of constructing the master key necessary to read
the decryption key to decrypt the data, allowing access to the Vault.
SEAL/UNSEAL

9. Partner of:
@HazzimIO
• The data stored by Vault is stored encrypted.
• Vault needs the encryption key in order to decrypt the data.
• The encryption key is also stored with the data, but encrypted with
another encryption key known as the master key.
SEAL/UNSEAL

10. Partner of:
@HazzimIO
• The master key isn't stored anywhere.
• Vault must decrypt the encryption key which requires the master
key.
• Unsealing is the process of reconstructing this master key.
SEAL/UNSEAL

11. Partner of:
@HazzimIO
• Instead of distributing this master key as a single key to an operator.
• Vault uses an algorithm known as Shamir's Secret Sharing to split
the key into shards
• A certain threshold of shards is required to reconstruct the master
key (3 of 5)
SEAL/UNSEAL

12. Partner of:
@HazzimIO
SEAL/UNSEAL
Key shares
Master key Encryption key

13. Partner of:
@HazzimIO
• With every dynamic secret and service type authentication token,
Vault creates a lease: metadata containing information such as a time
duration, renewability, and more.
• Vault promises that the data will be valid for the given duration, or
Time To Live (TTL).
Lease, Renew, and Revoke

14. Partner of:
@HazzimIO
•Authentication in Vault is the process by which user or machine
supplied information is verified against an internal or external system.
•Vault supports multiple auth methods
•GitHub
•LDAP
•AppRole
•Username/Password
•Cloud providers (AWS/GCP/Azure and more)
Authentication

15. Partner of:
@HazzimIO
• Tokens are the core method for authentication within Vault. Tokens
can be used directly or auth methods can be used to dynamically
generate tokens based on external identities.
• Within Vault, tokens map to information. The most important
information mapped to a token is a set of one or more
attached policies.
• These policies control what the token holder is allowed to do within
Vault.
TOKENS

16. Partner of:
@HazzimIO
• Everything in Vault is path based, and policies are no exception.
Policies provide a declarative way to grant or forbid access to certain
paths and operations in Vault.
• Policies are deny by default, so an empty policy grants no
permission in the system.
POLICIES

17. Partner of:
@HazzimIO
# Permit reading only "secret/foo". An attached token cannot read "secret/food"
# or "secret/foo/bar".
path "secret/foo" {
capabilities = ["read"]
}
# Permit reading everything under "secret/bar". An attached token could read
# "secret/bar/zip", "secret/bar/zip/zap", but not "secret/bars/zip".
path "secret/bar/*" {
capabilities = ["read"]
}
# Permit reading everything prefixed with "zip-". An attached token could read
# "secret/zip-zap" or "secret/zip-zap/zong", but not "secret/zip/zap
path "secret/zip-*" {
capabilities = ["read"]
}
POLICIES

18. Partner of:
@HazzimIO
• CLI
$ vault token revoke “<token>"
• API
$ curl
--request POST
--header "X-Vault-Token: ..."
--data '{"token": "<token>"}'
https://vault.hashicorp.rocks/v1/auth/token/revoke
Revoke root token

19. Partner of:
@HazzimIO
• Vault supports a multi-server mode for high availability.
• High availability mode is automatically enabled when using a data
store that supports it.
• Currently there are several storage backends that support high
availability mode, including Consul, ZooKeeper and etcd.
High Availability Mode (HA)

20. Partner of:
@HazzimIO
• To be highly available, one of the Vault server nodes grabs a lock
within the data store.
• The successful server node then becomes the active node; all other
nodes become standby nodes.
• Due to this architecture, HA does not enable increased scalability.
• In general, the bottleneck of Vault is the data store itself, not Vault
core.
High Availability Mode (HA)

21. Partner of:
@HazzimIO
USE CASES

22. Partner of:
@HazzimIO
• At a bare minimum, Vault can be used for the storage of any secrets.
For example, Vault would be a fantastic way to store sensitive
environment variables, database credentials, API keys, etc.
General Secret Storage

23. Partner of:
@HazzimIO
• While this overlaps with "General Secret Storage", Vault is a good
mechanism for storing credentials that employees share to access
web services.
• The audit log mechanism lets you know what secrets an employee
accessed and when an employee leaves, it is easier to roll keys and
understand which keys have and haven't been rolled.
Employee Credential Storage

24. Partner of:
@HazzimIO
• The "dynamic secrets" feature of Vault is ideal for scripts: an AWS
access key can be generated for the duration of a script, then
revoked.
• The keypair will not exist before or after the script runs, and the
creation of the keys are completely logged
API Key Generation for Scripts

25. Partner of:
@HazzimIO
• In addition to being able to store secrets, Vault can be used to encrypt/
decrypt data that is stored elsewhere.
• The primary use of this is to allow applications to encrypt their data
while still storing it in the primary data store.
• The benefit of this is that developers do not need to worry about how to
properly encrypt data.
• The responsibility of encryption is on Vault and the security team
managing it, and developers just encrypt/decrypt data as needed.
Data Encryption

26. Partner of:
@HazzimIO
• Audit devices are the components in Vault that keep a detailed log of
all requests and response to Vault.
• Because every operation with Vault is an API request/response, the
audit log contains every authenticated interaction with Vault,
including errors.
• Multiple audit devices can be enabled and Vault will send the audit
logs to both.
Audit Devices

27. Partner of:
@HazzimIO
• Sensitive information
• The audit logs contain the full request and response objects for
every interaction with Vault.
• The request and response can be matched utilizing a unique
identifier assigned to each request.
• The data in the request and the data in the response (including
secrets and authentication tokens) will be hashed with a salt using
HMAC-SHA256.
Audit devices

28. Partner of:
@HazzimIO
• File
• The file audit device writes audit logs to a file. This is a very
simple audit device: it appends logs to a file.
• Syslog
• The syslog audit device writes audit logs to syslog.
• Socket
• The socket audit device writes to a TCP, UDP, or UNIX socket.
Audit Devices

29. Partner of:
@HazzimIO
Enterprise features

30. Partner of:
@HazzimIO
• The core unit of Vault replication is a cluster, which is comprised of a
collection of Vault nodes (an active and its corresponding HA
nodes).
• Multiple Vault clusters communicate in a one-to-many near real-time
flow.
• Replication operates on a leader/follower model, wherein a leader
cluster (primary) is linked to a series of follower secondary clusters.
Replication

31. Partner of:
@HazzimIO
• The primary cluster acts as the system of record and asynchronously
replicates most Vault data.
• All communication between primaries and secondaries is end-to-end
encrypted with mutually-authenticated TLS sessions, setup via
replication tokens which are exchanged during bootstrapping.
• What data is replicated between the primary and secondary depends
on the type of replication that is configured.
Replication

32. Partner of:
@HazzimIO
• Performance Replication: In performance replication, secondaries
keep track of their own tokens and leases but share the underlying
configuration, policies, and supporting secrets.
• Disaster Recovery (DR) Replication: In disaster recovery (or DR)
replication, secondaries share the same underlying configuration,
policy, and supporting secrets infrastructure as the primary.
Performance Replication and Disaster Recovery (DR) Replication

33. Partner of:
@HazzimIO
•Feature that takes advantage of HSMs to provide three pieces of special
functionality:
•Master Key Wrapping: Vault protects its master key by transiting it
through the HSM for encryption rather than splitting into key shares
•Automatic Unsealing: Vault stores its HSM-wrapped master key in
storage, allowing for automatic unsealing
•Seal Wrapping to provide FIPS KeyStorage-conforming functionality
for Critical Security Parameters
HSM Support

34. Partner of:
@HazzimIO
• Many organizations implement Vault as a "service", providing
centralized management for teams within an organization while
ensuring that those teams operate within isolated environments
known as tenants.
• There are two common challenges when implementing this
architecture in Vault.
Namespaces

35. Partner of:
@HazzimIO
• Frequently teams within a VaaS environment require strong isolation
from other users in their policies, secrets, and identities.
• Tenant isolation is typically a result of compliance regulations such
as GDPR, though it may be necessitated by corporate or
organizational infosec requirements.
Tenant Isolation

36. Partner of:
@HazzimIO
• As new tenants are added, there is an additional human cost in the
management overhead for teams.
• Given that tenants will likely have different policies and request
changes at a different rate, managing a multi-tenant environment
can become very difficult for a single team as the number of tenants
within that organization grow.
Self-Management

37. Partner of:
@HazzimIO
• Vault Enterprise has support for Multi-factor Authentication (MFA), using
different authentication types. MFA is built on top of the Identity system of
Vault.
• MFA in Vault can be of the following types.
• Time-based one-time password
• Okta
• Duo
• PingID
MFA Support

38. Contact
• @DevOpsGDL
• facebook.com/groups/devopsgdl/
• meetup.com/devopsgdl/
• devopsgdl@gmail.com

39. Contact
• hazzim.anaya@digitalonus
• hazzim.anaya@gmail.com
• @HazzimIO