Adnan Rashid, profile picture
Uploaded byAdnan Rashid
447 views

Vault Associate Certification Internals

This document provides a detailed overview of HashiCorp Vault, covering its architecture, security features, and operational functionalities. It emphasizes secure secret management, leasing and revocation of secrets, and high availability design through a consensus protocol. The text also discusses authentication mechanisms, token management, and a plugin system facilitating scalability and flexibility in deployments.

Technology
Related topics:
Information Security

Embed presentation

Downloaded 13 times
OVERVIEW THESE NOTES FOLLOW HASHICORP SPECIFIC STRUCTURE FOUND HERE s HTTP www.VAVLTPROJECT.IO Docs INTERNALS SECURITY OVERVIEW ARCHITECTURE PROPERTIES FUNCTIONS WHAT IS VAULT eggs EffFE sAEEffffs TIGHTSECURITY CONTROLS AUDIT LOGS L v s API keys PASSWORDS CERTS
FEATURES SECURE 1 SECRET SECRET ENCRYPTION STORAGE STORAGE PROVIDETEMPACCESS to APP 2 DYNAMIC 4 SECRETS r 3 I I NEED v ACCESS GENERATE ENCRYPT ENCRYPT AND DATA ENCRYPTION i DATA DECRYPT WITHOUT DECRYPT STORINGINVAULT LEASING AND a REVOCATION SECRETRENEWAL ALLSECRETSHAVE Ability toRevokeLEASEASSOCIATED entiretree of secrets
ARCHITECTURE HTTPS IAPI TOKENSTORE POLICYSTORE AUDIT CORE ROLLBACKMGR EXPIRATIONMGR BROKER d AUDITw PATH ROUTING DEVICE A SYSTEM SECRET AUTH AUDIT BACKEND ENGINE METHOD DEVICE STORAGEBACKEND 0 HTTPS API EXTERNALFACING t BARRIER Vault Startsin Sealed state 1 MustUnseal Mustbe How Unsealed V Unsealkeys Alldata to Howsthrough SHAMIR'SSECRETSHARING Algorithm cryptographic barrier seal
SHAMIRS SECRET SHARING ALGORITHM ENCRYPTION MASTER KEY KEY SHARES s I 2 ABLETO DECRYPT DATA L ENTERUIVSEALED STORAGE STATE BACKEND UNSEALED Loads all audit devices Auth methods VAULT Secrets Engines ONCEUNSEALED REQUESTSCANBE Managethe flow of requestsPROCESSEDBYTHE CORE CORE Enforce ACLs Audit logging
I 1 Authentication O CORE MA f D 2 RETURN LIST OF POLICIES Named ACLS VAULT OPERATES EXCLUSIVELY IN WHITELIST MODE Access must be explicitly granted 2 O o or my TOKEN STORE HERE AREMY 1 CLIENTTOKENGENERATED f POLICIES j ATTACH LEASE 0 I f REQUEST SECRET CORE 2 SECRET ENGINE IIFiiiIIII N r CLIENT TOKEN I'MTelling 4 i.e Returning Secret EXPIRATION MANAGER 3 Attaching lease ID
HIGH AVAILABILITY DESIGN MINIMISE DOWNTIME GOAL NOT TO BE140120NTALLY SCALABLE BOUND13410 NOT CPU HA MODE STATE EITHER L J IF aSEALED STANDBY 7 ACTIVE FAILS NETWORKCONNECTIVITY SEND THEN X PROCESSREQUESTS HERE v SEND TO STANDBY MUST BEUNSEALED PERFORMANCE is SIMILAR TO STANDBY BUT STANDBY CAN SERVICEREADONLY REQUESTS NODES SCALE NODES I 2 3 4 5 V SCALE IOPS HORIZONTALLY
INTEGRATED STORAGE VAULT INTEGRATED STORAGE t l t l t l v s 17A REPLICATION BACKUPAND RESTORE WORKFLOWS RAFT CONSENSUS PROTOCOL BASED ONPAXOS BUTSIMPLER CANSOMEONE EeiiEIIIIII VOTEFORME tfIfD Ok PEERNODE NODE START CANDIDATE STATE I WILLPROMOTE MYSELF te Np LEADERGREAT I CANACCEPT FOLLOWER IDEA STATE LOG ENTRIES STATE FROM A LEADER ICANACCEPTNEW GENTRIES AND I CAN VOTE REPLICATE TO ALLTHEOTHER FOLLOWERS NO ENTRIES FOR AWHILE
RAFT CONSENSUS PROTOCOL CONTINUED LEADER CLIENT REQUEST 1 APPEND A NEW LOG ENTRY 2 REPLICATE TO STORAGE FOLLOWERS 3QUORUM COMMITTED GO KEY VALUE Collection offinite STORE Stateswithtrasitions FINITE betweenthemAsnew STATE logsare appliedFSMis MACHINE allowedtotransitionbetween BOLTDB StatesApplicationoflogs Mustresultinthesamestate Deterministic This is the FSM AllowsVault whichmaintains snapshots to be cluster state very lightweight RECOMMENDED I 2 3 4 5 3 or 5 NODES DUE TOQUORUM
CONFIDENTIALITY SECURITY MODEL INTEGRITY AVAILABILITY ACCOUNTABILITY AUTHENTICATION EAVESDROPPING CONFIDENTIALITY OF STORED SECRETS 9 TAMPERING WITHDATA HREAT MODEL ACCESSTO DATA CONTROLS WITHOUT ACCOUNTABILITY ACCESSTODATA v WITHOUT AUTH AVAILABILITY OFDATA IN THE FACE OF FAILURE VAULTVALIDATES CLIENTTOKENAND a 2MAN RULEFOR NOTEXPIREDREVOKED UNSEALUSING INTERNAL SHAMIRSECRETSHARING DEFAULT a THREAT MUST BE ROOT FOR DENY SPECIFICTASKS EXTERNAL 256 BIT AES IN TL5t Gcm WITH 96 BIT TOKEN THREAT noncesFORALLDATA LEAVINGVAULT J CLIENT UNTRUSTED BY STORAGE DESIGN BACKEND ENCRYPTED
TELEMETRY TELEMETRY VAULT SERVERCOLLECTS VARIOUS RUNTIMEMETRICS I VIEW RAW DATA PERFORMANCE OF DIFFERENT 7 WIN BREAK LIBRARIESANDSUBSYSTEMS SENDSIGNALTO VAULT PROCESS LINUX 05121 v AGGREGATED AT RETAINED FOR 10SECONDINTERVALS 1 MINUTE AUTH METHODS r MERKLETREE AND REPLICATION WRITEAHEAD LOG POLICY AND TOKEN METRICS AUDIT INTEGRATED SECRET ENGINE RAFT in STORAGE CORE LEADERSHIPCHANGES RUNTIME I INTEGRATED STORAGE RAFT BACKEND STORAGE
TOKEN AUTHENTICATION TOKEN CORECLIENTAUTH AUTH 7 BUILT IN TOKEN ID Primary ID Randomly Generated Display Name Properties Meta data for auditlogging Immutable Number of Uses Optional Once Created ParentID Optional Parent created token Policies associated list of ACL policies SourcePath Path generated TOKENCREATED auth token create I Parent Toker TOKEN TREES Child tokens from subset of parent policies Tokenrevoked entire subtree revoked
KEY ROTATION START VAULT SEALED STATE UNSEAL 5 KEYS SHAMIR'SSECRET KEY ROTATION CHANGE UNSEAL KEYS MASTERKEY BACKENDENCRYPTION KEY OPERATION ROTATE CHANGE ENCRYPTION KEY 7 v u CANBEDONE NEW KEYGENERATEDAND REILEY c ONLINE ADDED TO KEYRING MEETTHRESHOLD GENERATE s OFCURRENTUNSEAL MASTERKEY KEYS
REPLICATION VAULT ENTERPRISE FOCUS ON HAFOR a REPLICATION PRIMARY SECONDARYG N GLOBALDEPLOYMENTS ASYNCHRONOUS REPLICATION SCALETHROUGHPUT USE CASES MULTI DCDEPLOYMENTS SINGLEVAULTCLUSTER IMPOSESHIGHLATENCY ENCRYPTIONASSERVICE v USERSMAYGENERATE Backup sites HIGHVOLUMEOFTRAFFIC BCPFORLOSSOFDC SIMPLE To DESIGN GOALS AVAILABILITY OPERATE TOLERATEREDUCED CONSISTENCY NEARREALTIME CONFLICT TRANSPARENTTO FREE CLIENTS 1 WRITECONFLICTS DO NOTTAKEPLACE
REPLICATION ARCHITECTURE BASED ONDESIGN GOALS TEBACKEND CONSUL y STORAC THATSUPPORTSTRANSACTIONAL UPDATES MULTIPLE KEYHALVEUPDATES ATOMICALLY WRITESAREVISIBLE REPLICATION I 4 CLUSTER MAINTAIN A LOGSHIPPING WRITE AHEAD LOG WAL L S OFALLUPDATES REPLICATE PRIMARY SECONDARY CHANGES f t AUTHORITATIVE READSECRETS PERFORM 1 SENDDATATHROUGH TRANSIT LOG WRITETOSTORAGE FORWARDWRITES TO PRIMARY SHIPPING 1 I 1 IF SECONDARY15 MODIFYPOLICY MODIFYSECRETS NEWORTOOFAR BEHINDprimary 1NOTENOUGHWALS BROKENCONNECTION SOURCE 1 PRIMARY X SECONDARY op VAULTMAINTAINS TRUTH MERKLEINDEX OFENCRYPTED WRITESCONTINUE FEETYED KEYS r STAYLOCAL NOREPLICATION TOKENSORLEASES PRIMARY COMPARETO SECONDARY VENTMUST WHICHKEYS UT AUTHIFSWITCH OFSYNC OSTERS PERFORMANCE I INDEXUPDATED IN COULD BEPOWER MEMORY Loss µ CONSISTENCY OF INDEX6000TOF INDEX UNDER T SYNC FAIL CONDITION ARIES ALGORITHM
PLUGIN SYSTEM COMMUNICATES OVER RPC COMPLETELY SEPERATE STANDALONE APPLICATIONS ALL AUTH AND SECRET PLUGINSBACKENDS DOES NOT SHARE SAME MEMORY SPACE TREATBUILTIN ANDEXTERNAL PLUGINLIKE PLUGIN CAN NOT CRASH VAULT ENTIRELYLEGO

More Related Content

PDF
CKA Certified Kubernetes Administrator Notes
byAdnan Rashid
 
PDF
Hashicorp Vault Associate Certification Configuration Part 3
byAdnan Rashid
 
PDF
Hashicorp Vault Associate Certification Concepts Part 2
byAdnan Rashid
 
PDF
Introduction to Memory Exploitation (CppEurope 2021)
byPatricia Aas
 
PDF
introduction to jsrsasign
byKenji Urushima
 
PDF
Beyond Mirai: The new age of MDDoS attacks
byAPNIC
 
PDF
Vault
bydawnlua
 
PDF
Introducing Vault
byRamit Surana
 
CKA Certified Kubernetes Administrator Notes
byAdnan Rashid
 
Hashicorp Vault Associate Certification Configuration Part 3
byAdnan Rashid
 
Hashicorp Vault Associate Certification Concepts Part 2
byAdnan Rashid
 
Introduction to Memory Exploitation (CppEurope 2021)
byPatricia Aas
 
introduction to jsrsasign
byKenji Urushima
 
Beyond Mirai: The new age of MDDoS attacks
byAPNIC
 
Vault
bydawnlua
 
Introducing Vault
byRamit Surana
 

Similar to Vault Associate Certification Internals

PDF
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 
PDF
Vault 101
byHazzim Anaya
 
PDF
Vault and Security as a Service
byPatrick Shields
 
PPTX
MuleSoft_Meetup_#6_Chandigarh_April_2021
bySuresh Rathore
 
PDF
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
PDF
Secrets management vault cncf meetup
byJuraj Hantak
 
PPTX
Nodejsvault austin2019
byTaswar Bhatti
 
PDF
Introduction to Vault
byKnoldus Inc.
 
PPTX
Vault w/ config injection kubernetes canada
byJean-Philippe Bélanger
 
PDF
Secret Management with Hashicorp’s Vault
byAWS Germany
 
PDF
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
PDF
Vault - Enhancement for K8S secret security
byHuynh Thai Bao
 
PDF
HashiCorp Vault Workshop:幫 Credentials 找個窩
bysmalltown
 
PPTX
Secret Management with Hashicorp Vault and Consul on Kubernetes
byAn Nguyen
 
PPTX
Using Vault for your Nodejs Secrets
byTaswar Bhatti
 
PPTX
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
PPTX
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
byhamzaaqqa7
 
PPTX
Vault Digital Transformation
byStenio Ferreira
 
PPTX
Managing your secrets in a cloud environment
byTaswar Bhatti
 
PDF
Vault 1.0: How to Auto-Unseal and Other New Features
byMitchell Pronschinske
 
Issuing temporary credentials for my sql using hashicorp vault
byOlinData
 
Vault 101
byHazzim Anaya
 
Vault and Security as a Service
byPatrick Shields
 
MuleSoft_Meetup_#6_Chandigarh_April_2021
bySuresh Rathore
 
Eliminating Secret Sprawl in the Cloud with HashiCorp Vault - 07.11.2018
byHashiCorp
 
Secrets management vault cncf meetup
byJuraj Hantak
 
Nodejsvault austin2019
byTaswar Bhatti
 
Introduction to Vault
byKnoldus Inc.
 
Vault w/ config injection kubernetes canada
byJean-Philippe Bélanger
 
Secret Management with Hashicorp’s Vault
byAWS Germany
 
Secure Secret Management on a Budget: Reasoning about Scalable SM with Vault ...
byMary Racter
 
Vault - Enhancement for K8S secret security
byHuynh Thai Bao
 
HashiCorp Vault Workshop:幫 Credentials 找個窩
bysmalltown
 
Secret Management with Hashicorp Vault and Consul on Kubernetes
byAn Nguyen
 
Using Vault for your Nodejs Secrets
byTaswar Bhatti
 
Zero trust Architecture
byAddWeb Solution Pvt. Ltd.
 
hashicorp-virtualdays-vaultkeeping-a-secret-200409143039.pptx
byhamzaaqqa7
 
Vault Digital Transformation
byStenio Ferreira
 
Managing your secrets in a cloud environment
byTaswar Bhatti
 
Vault 1.0: How to Auto-Unseal and Other New Features
byMitchell Pronschinske
 

Recently uploaded

PDF
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PDF
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
PDF
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
PDF
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
PDF
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
PDF
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
PPTX
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
PDF
How Much Does It Cost To Build Software
bycollinmishell2
 
PDF
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
PDF
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
PDF
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
PDF
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
PDF
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
PDF
Lets Build a Serverless Function with Kiro
byChris Bingham
 
PDF
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
PDF
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
PPTX
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
PDF
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
PPTX
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 
Agentic Intro and Hands-on: Build your first Coded Agent
byUiPathCommunity
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Crane Accident Prevention Guide: Key OSHA Regulations for Safer Operations
bySharpEagle Technology
 
"DISC as GPS for team leaders: how to lead a team from storming to performing...
byFwdays
 
Transforming Supply Chains with Amazon Bedrock AgentCore (AWS Swiss User Grou...
byChris Bingham
 
[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...
byWintari Yasmin
 
Mastering Agentic Orchestration with UiPath Maestro | Hands on Workshop
byUiPathCommunity
 
The power of Slack and MuleSoft | Bangalore MuleSoft Meetup #60
byshyamraj55
 
How Much Does It Cost To Build Software
bycollinmishell2
 
MuleSoft Meetup: Dreamforce'25 Tour- Vibing With AI & Agents.pdf
byTintu Jacob Shaji
 
5 Common Supply Chain Attacks and How They Work | CyberPro Magazine
byCyberPro Magazine
 
The Necessity of Digital Forensics, the Digital Forensics Process & Laborator...
bychrstnpetwinchester
 
[DevFest Strasbourg 2025] - NodeJs Can do that !!
bymoassiongbon
 
[BDD 2025 - Mobile Development] Mobile Engineer and Software Engineer: Are we...
bywintari3
 
Lets Build a Serverless Function with Kiro
byChris Bingham
 
[BDD 2025 - Mobile Development] Exploring Apple’s On-Device FoundationModels
byWintari Yasmin
 
Cheryl Hung, Vibe Coding Auth Without Melting Down! isaqb Software Architectu...
byCheryl Hung
 
UFCD 0797 - SISTEMAS OPERATIVOS_Unidade Completa.pptx
byscribddobruno
 
Transcript: The partnership effect: Libraries and publishers on collaborating...
byBookNet Canada
 
"Feelings versus facts: why metrics are more important than intuition", Igor ...
byFwdays
 

Vault Associate Certification Internals

  • 4.
    OVERVIEW THESE NOTES FOLLOWHASHICORP SPECIFIC STRUCTURE FOUND HERE s HTTP www.VAVLTPROJECT.IO Docs INTERNALS SECURITY OVERVIEW ARCHITECTURE PROPERTIES FUNCTIONS WHAT IS VAULT eggs EffFE sAEEffffs TIGHTSECURITY CONTROLS AUDIT LOGS L v s API keys PASSWORDS CERTS
  • 5.
    FEATURES SECURE 1 SECRET SECRETENCRYPTION STORAGE STORAGE PROVIDETEMPACCESS to APP 2 DYNAMIC 4 SECRETS r 3 I I NEED v ACCESS GENERATE ENCRYPT ENCRYPT AND DATA ENCRYPTION i DATA DECRYPT WITHOUT DECRYPT STORINGINVAULT LEASING AND a REVOCATION SECRETRENEWAL ALLSECRETSHAVE Ability toRevokeLEASEASSOCIATED entiretree of secrets
  • 6.
    ARCHITECTURE HTTPS IAPI TOKENSTORE POLICYSTOREAUDIT CORE ROLLBACKMGR EXPIRATIONMGR BROKER d AUDITw PATH ROUTING DEVICE A SYSTEM SECRET AUTH AUDIT BACKEND ENGINE METHOD DEVICE STORAGEBACKEND 0 HTTPS API EXTERNALFACING t BARRIER Vault Startsin Sealed state 1 MustUnseal Mustbe How Unsealed V Unsealkeys Alldata to Howsthrough SHAMIR'SSECRETSHARING Algorithm cryptographic barrier seal
  • 7.
    SHAMIRS SECRET SHARINGALGORITHM ENCRYPTION MASTER KEY KEY SHARES s I 2 ABLETO DECRYPT DATA L ENTERUIVSEALED STORAGE STATE BACKEND UNSEALED Loads all audit devices Auth methods VAULT Secrets Engines ONCEUNSEALED REQUESTSCANBE Managethe flow of requestsPROCESSEDBYTHE CORE CORE Enforce ACLs Audit logging
  • 8.
    I 1 Authentication O COREMA f D 2 RETURN LIST OF POLICIES Named ACLS VAULT OPERATES EXCLUSIVELY IN WHITELIST MODE Access must be explicitly granted 2 O o or my TOKEN STORE HERE AREMY 1 CLIENTTOKENGENERATED f POLICIES j ATTACH LEASE 0 I f REQUEST SECRET CORE 2 SECRET ENGINE IIFiiiIIII N r CLIENT TOKEN I'MTelling 4 i.e Returning Secret EXPIRATION MANAGER 3 Attaching lease ID
  • 9.
    HIGH AVAILABILITY DESIGN MINIMISEDOWNTIME GOAL NOT TO BE140120NTALLY SCALABLE BOUND13410 NOT CPU HA MODE STATE EITHER L J IF aSEALED STANDBY 7 ACTIVE FAILS NETWORKCONNECTIVITY SEND THEN X PROCESSREQUESTS HERE v SEND TO STANDBY MUST BEUNSEALED PERFORMANCE is SIMILAR TO STANDBY BUT STANDBY CAN SERVICEREADONLY REQUESTS NODES SCALE NODES I 2 3 4 5 V SCALE IOPS HORIZONTALLY
  • 10.
    INTEGRATED STORAGE VAULT INTEGRATEDSTORAGE t l t l t l v s 17A REPLICATION BACKUPAND RESTORE WORKFLOWS RAFT CONSENSUS PROTOCOL BASED ONPAXOS BUTSIMPLER CANSOMEONE EeiiEIIIIII VOTEFORME tfIfD Ok PEERNODE NODE START CANDIDATE STATE I WILLPROMOTE MYSELF te Np LEADERGREAT I CANACCEPT FOLLOWER IDEA STATE LOG ENTRIES STATE FROM A LEADER ICANACCEPTNEW GENTRIES AND I CAN VOTE REPLICATE TO ALLTHEOTHER FOLLOWERS NO ENTRIES FOR AWHILE
  • 11.
    RAFT CONSENSUS PROTOCOLCONTINUED LEADER CLIENT REQUEST 1 APPEND A NEW LOG ENTRY 2 REPLICATE TO STORAGE FOLLOWERS 3QUORUM COMMITTED GO KEY VALUE Collection offinite STORE Stateswithtrasitions FINITE betweenthemAsnew STATE logsare appliedFSMis MACHINE allowedtotransitionbetween BOLTDB StatesApplicationoflogs Mustresultinthesamestate Deterministic This is the FSM AllowsVault whichmaintains snapshots to be cluster state very lightweight RECOMMENDED I 2 3 4 5 3 or 5 NODES DUE TOQUORUM
  • 12.
    CONFIDENTIALITY SECURITY MODEL INTEGRITY AVAILABILITY ACCOUNTABILITY AUTHENTICATION EAVESDROPPING CONFIDENTIALITYOF STORED SECRETS 9 TAMPERING WITHDATA HREAT MODEL ACCESSTO DATA CONTROLS WITHOUT ACCOUNTABILITY ACCESSTODATA v WITHOUT AUTH AVAILABILITY OFDATA IN THE FACE OF FAILURE VAULTVALIDATES CLIENTTOKENAND a 2MAN RULEFOR NOTEXPIREDREVOKED UNSEALUSING INTERNAL SHAMIRSECRETSHARING DEFAULT a THREAT MUST BE ROOT FOR DENY SPECIFICTASKS EXTERNAL 256 BIT AES IN TL5t Gcm WITH 96 BIT TOKEN THREAT noncesFORALLDATA LEAVINGVAULT J CLIENT UNTRUSTED BY STORAGE DESIGN BACKEND ENCRYPTED
  • 13.
    TELEMETRY TELEMETRY VAULT SERVERCOLLECTS VARIOUSRUNTIMEMETRICS I VIEW RAW DATA PERFORMANCE OF DIFFERENT 7 WIN BREAK LIBRARIESANDSUBSYSTEMS SENDSIGNALTO VAULT PROCESS LINUX 05121 v AGGREGATED AT RETAINED FOR 10SECONDINTERVALS 1 MINUTE AUTH METHODS r MERKLETREE AND REPLICATION WRITEAHEAD LOG POLICY AND TOKEN METRICS AUDIT INTEGRATED SECRET ENGINE RAFT in STORAGE CORE LEADERSHIPCHANGES RUNTIME I INTEGRATED STORAGE RAFT BACKEND STORAGE
  • 14.
    TOKEN AUTHENTICATION TOKEN CORECLIENTAUTH AUTH 7BUILT IN TOKEN ID Primary ID Randomly Generated Display Name Properties Meta data for auditlogging Immutable Number of Uses Optional Once Created ParentID Optional Parent created token Policies associated list of ACL policies SourcePath Path generated TOKENCREATED auth token create I Parent Toker TOKEN TREES Child tokens from subset of parent policies Tokenrevoked entire subtree revoked
  • 15.
    KEY ROTATION START VAULTSEALED STATE UNSEAL 5 KEYS SHAMIR'SSECRET KEY ROTATION CHANGE UNSEAL KEYS MASTERKEY BACKENDENCRYPTION KEY OPERATION ROTATE CHANGE ENCRYPTION KEY 7 v u CANBEDONE NEW KEYGENERATEDAND REILEY c ONLINE ADDED TO KEYRING MEETTHRESHOLD GENERATE s OFCURRENTUNSEAL MASTERKEY KEYS
  • 16.
    REPLICATION VAULT ENTERPRISE FOCUSON HAFOR a REPLICATION PRIMARY SECONDARYG N GLOBALDEPLOYMENTS ASYNCHRONOUS REPLICATION SCALETHROUGHPUT USE CASES MULTI DCDEPLOYMENTS SINGLEVAULTCLUSTER IMPOSESHIGHLATENCY ENCRYPTIONASSERVICE v USERSMAYGENERATE Backup sites HIGHVOLUMEOFTRAFFIC BCPFORLOSSOFDC SIMPLE To DESIGN GOALS AVAILABILITY OPERATE TOLERATEREDUCED CONSISTENCY NEARREALTIME CONFLICT TRANSPARENTTO FREE CLIENTS 1 WRITECONFLICTS DO NOTTAKEPLACE
  • 17.
    REPLICATION ARCHITECTURE BASED ONDESIGNGOALS TEBACKEND CONSUL y STORAC THATSUPPORTSTRANSACTIONAL UPDATES MULTIPLE KEYHALVEUPDATES ATOMICALLY WRITESAREVISIBLE REPLICATION I 4 CLUSTER MAINTAIN A LOGSHIPPING WRITE AHEAD LOG WAL L S OFALLUPDATES REPLICATE PRIMARY SECONDARY CHANGES f t AUTHORITATIVE READSECRETS PERFORM 1 SENDDATATHROUGH TRANSIT LOG WRITETOSTORAGE FORWARDWRITES TO PRIMARY SHIPPING 1 I 1 IF SECONDARY15 MODIFYPOLICY MODIFYSECRETS NEWORTOOFAR BEHINDprimary 1NOTENOUGHWALS BROKENCONNECTION SOURCE 1 PRIMARY X SECONDARY op VAULTMAINTAINS TRUTH MERKLEINDEX OFENCRYPTED WRITESCONTINUE FEETYED KEYS r STAYLOCAL NOREPLICATION TOKENSORLEASES PRIMARY COMPARETO SECONDARY VENTMUST WHICHKEYS UT AUTHIFSWITCH OFSYNC OSTERS PERFORMANCE I INDEXUPDATED IN COULD BEPOWER MEMORY Loss µ CONSISTENCY OF INDEX6000TOF INDEX UNDER T SYNC FAIL CONDITION ARIES ALGORITHM
  • 18.
    PLUGIN SYSTEM COMMUNICATES OVERRPC COMPLETELY SEPERATE STANDALONE APPLICATIONS ALL AUTH AND SECRET PLUGINSBACKENDS DOES NOT SHARE SAME MEMORY SPACE TREATBUILTIN ANDEXTERNAL PLUGINLIKE PLUGIN CAN NOT CRASH VAULT ENTIRELYLEGO