Vault: A Secure Way to Keep Your App's Secrets
Learn how you can use Vault to secure your systems private data by encrypting the keys.
Join the DZone community and get the full member experience.
Join For FreeIn this blog, we will discuss the Vault. In modern scenarios, we want to secure our system as much as possible. We don't want to store our secret keys and certificates in the system or configurations. We need a place where we can keep our secrets with more security and access them securely whenever we need them. We can use the Vault.
Vault is the secure place to store the secrets, password, token, APIKeys of the system with the control of their access. It provides security by encrypting the keys.
Key Feature of Vault
- Secure Storage
- Encryption
- Access Control Policies
- Dynamic Secrets
- Auditing
- Multiple Authentication
- Revocation
Secure Storage
We can store data as a Key-Value pair. These values are stored in encrypted form in persistent storage. So, gaining access to raw storage isn't enough to access your secrets.
Encryption
Vault has the ability to encrypt and decrypt data. It provides facilities to encrypt and store the encrypted data in any location without having to design their own encryption methods.
Access Control Policies
We can manage the access for the secrets or any other features of the vault. This is the most crucial feature for any secret storage system.
Dynamic Secrets
Vault can generate secrets whenever we want for any systems. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and the Vault will generate an AWS keypair with valid permissions on demand.
Auditing
We can audit all the request to the vault and we can keep the redundant logs files. This includes any request to Vault: successes, failures, configuration, data access, etc. Audit logs can be sent to the syslog, files, and more.
Multiple Authentication
We can talk with the vault via multiple methods of authentication. e.g. Vault possesses the ability to support tokens, username/password, GitHub, certificates, and more.
Revocation
Vault can revoke all secrets read by a specific user or all secrets of a specific type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.
How to Install Vault on the Local Machine?
You all can download vault from the link given below: https://www.vaultproject.io/downloads.html
After downloading, extract the vault zip and set the vault path in your .bashrc file.
Now you can validate the installation with just running vault command in your terminal.
Now, start the vault server on your local machine with the command: vault server -dev
As we can see the selected exported into the image, that is representing the host and port where the vault server is running. We can access the page with the help of the above address and root token. Find the reference in below image:
Now, we will keep our secret into the vault. We can do this with this command:
vault kv put secret/credential aws_access_token_key=1234 aws_access_token_secret=1234 In the above command, we are storing data into the vault on the path of secret/credential. Here secret/is compulsory. We can see the data on the given path. Ex:
We can simply get the data from the vault as:
vault kv get secret/credential
This is the basic introduction of the Vault. In the next blog, we will look at how we interact with vault via a Java client.
References
Topics:
security,
vault,
encryption,
key,
secrets,
password,
apikeys,
authentication,
installation
Published at DZone with permission of Anurag Srivastava, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
Comments