Securing and Managing Secrets with HashiCorp Vault Enterprise
By Trevor Hansen, Partner Solutions Architect at AWS
By Lance Larsen, Sr. Solutions Engineer at HashiCorp
Data security is a concern for all enterprises. Organizations often turn to dedicated hardware as a way to protect valuable information and secrets, but it becomes increasingly difficult to scale security as more infrastructure shifts to the cloud.
HashiCorp’s Vault Enterprise helps you achieve strong data security and scalability. Vault is a trusted secrets management tool designed to enable collaboration and governance across organizations. It enables developers, operators, and security professionals to deploy applications in zero-trust environments across public and private datacenters.
HashiCorp is an AWS Partner Network (APN) Advanced Technology Partner with the AWS DevOps Competency. In addition to Vault, they provide open source tools Vagrant, Packer, Terraform, Consul, and Nomad. Enterprise versions of Vault, Terraform, Consul, and Nomad enhance the open source tools with features that promote collaboration, governance, and multi-datacenter functionality.
Deep Integrations with AWS
Vault has deep integrations with Amazon Web Services (AWS) in both open source and enterprise editions. Whether you are securely introducing applications and services with the AWS authentication method, or providing human operators and applications with short-lived AWS secrets, Vault is a powerful tool in your DevSecOps arsenal.
Vault also integrates with AWS Key Management Service (KMS) and AWS CloudHSM if you require single-tenant access to tamper-resistant hardware security models (HSMs) in your Amazon Virtual Private Cloud (VPC). With Vault, you can manage database credentials, issue dynamic X.509 certificates, control SSH access, and much more.
Getting Started with Vault
After installing Vault and initializing the solution, two encryption keys are created—a data encryption key (DEK) and key encryption key (KEK), also known as the Master Key. The DEK creates the cryptographic barrier in Vault, and all data that flows between Vault and the storage backend passes through cryptographic barrier.
This barrier guarantees that data written out to the storage backend for persistent storage is encrypted by the DEK. When Vault needs to pull data back in from the storage backend, the data is verified and decrypted by the DEK on the way back in.
This DEK is stored in the backend for persistent storage, along with all of the other data that left Vault’s cryptographic barrier. The DEK is encrypted by the Master Key. When initializing Vault, you can specify a number of “key shares” that you want the Master Key to be split into. This is because you don’t want the keys to the kingdom to be in one person’s hands. Therefore, Vault splits the key into many key shares using an algorithm known as Shamir’s Secret Sharing.
Once the Master Key is split into ‘n’ number of key shares, you need ‘k’ of ‘n’ (‘k’ being the threshold) to reconstruct enough of the Master Key to decrypt the DEK from the storage backend and bring it into Vault’s memory. This is so the tool can manage the cryptographic barrier, and it’s a process known as “unsealing” Vault because you are unsealing the cryptographic barrier.
Figure 1 – Protecting your Encryption Key with a Master Key, then splitting the Master Key into ‘n’ shares.
This process works quite well, but it can be challenging when you have many Vault clusters as there are now many different key holders with many different keys. Orchestrating the unsealing of a Vault node that happened to restart, for example, requires a lot of coordination and isn’t ideal in an automated world. For that reason, HashiCorp developed some ways to help you automate this process by leveraging AWS KMS.
HSM Integration with Vault Enterprise
If you are striving for a higher degree of automation, and/or operate in heavily-regulated environments, Vault enterprise and AWS offer the following turnkey solutions: AWS CloudHSM and AWS Key Management Service.
Both of these services offer a FIPS 140-2 backed hardware to secure your cryptographic keys. For most enterprises, AWS KMS is the service of choice to secure your cryptographic keys. In select cases where an enterprise requires the use of a single-tenant FIPS 142 Level 3 validated HSM, CloudHSM is required.
CloudHSM is a cloud-based hardware security module that enables you to easily generate and use your own encryption keys on the AWS cloud. With CloudHSM, you can manage your own encryption keys using FIPS 140-2 Level 3 validated HSMs.
Figure 2 – AWS CloudHSM has zero-config high availability that includes automatic backups stored in Amazon S3.
Benefits of Vault and AWS KMS or AWS CloudHSM
Automated Unsealing enables operators to delegate the unsealing process to trusted cloud providers. This helps ease operations in the event of partial failure and aids in the creation of new or ephemeral clusters.
Seal Wrapping wraps values with an additional layer of encryption by immersing Vault’s keyring, internal communications, and cryptographic components used to create keys with cryptography from its auto unseal source. This adds an extra layer of protection and is useful for compliance with regulatory environments, including FIPS 140-2 environments. HashiCorp Vault has been evaluated as conformant with the FIPS 140-2 standards by Leidos.
In conclusion, HashiCorp’s Vault is an effective tool for managing your secrets. Through a unified API, AWS integration, and easy implementation, Vault can be integrated into your development at any stage. Vault helps you achieve that extra layer of data security while being able to scale your secret storage, key rolling, and audit logging to enterprise scale.
To learn more, we recommend you watch the webinar on HashiCorp + AWS: Integrating CloudHSM with Vault Enterprise for a live demo and to see how Vault’s HSM support features work with AWS CloudHSM. The webinar also discusses the technical requirements to use HSM support features, and the behavioral changes in Vault when using CloudHSM.