A short sweet intro to Vault
Hashicorp Vault has been a rising star in managing credentials for open source powered organizations. Vault has significantly done a good job in keeping up the development, and the wide plugin support over most of DevOps / SysOps toolsets. Wanna use Vault in Jenkins, go ahead! There is already a Hashicorp Vault Plugin out there! You use Terraform too? Built by the creators of Terraform, Vault has made credential management systems in complex organizations a piece of cake. 🍰
What makes Vault unique, is the availablity of an open HTTP API and a powerful command line interface, which can literally satisfy any average developer. Oh, you are a new-out-of-box? It has a well designed Web UI too! ✨
Also, take a look at the command line tool:
Usage: vault <command> [args] Common commands: read Read data and retrieves secrets write Write data, configuration, and secrets delete Delete secrets and configuration list List data or secrets login Authenticate locally agent Start a Vault agent server Start a Vault server status Print seal and HA status unwrap Unwrap a wrapped secret Other commands: audit Interact with audit devices auth Interact with auth methods debug Runs the debug command kv Interact with Vault's Key-Value storage lease Interact with leases monitor Stream log messages from a Vault server namespace Interact with namespaces operator Perform operator-specific tasks path-help Retrieve API help for paths plugin Interact with Vault plugins and catalog policy Interact with policies print Prints runtime configurations secrets Interact with secrets engines ssh Initiate an SSH session token Interact with tokens
Vault uses an interesting design in encryption which interests corporates into investing into setting up Vault as credential manager. The idea is taken from none other than one of the co-founders of RSA itself, Adi Shamir, called Shamir’s Secret Sharing.
From the Wikipedia,
Shamir’s Secret Sharing (SSS) is used to secure a secret in a distributed way, most often to secure other encryption keys. The secret is split into multiple parts, called shares. These shares are used to reconstruct the original secret.
To unlock the secret via Shamir’s secret sharing, a minimum number of shares are needed. This is called the threshold, and is used to denote the minimum number of shares needed to unlock the secret.
Well, it depends on the company if they decide to adopt it, but yes. This is the principle behind Vault.
Hashicorp Vault provides a Vault-as-a-Service, if you prefer to invest in that. But sometimes, it might be nice to have your own copy of Vault, preferably behind your firewall. After all, installing Vault is a piece of cake.
Vault brings in a high learning curve, but once understood; it technically makes credential mangement in a large team more smooth. At least, we can not store credentials on GitHub or GitLab, or not send them through Slack please. 🥺
Vault might be an unnecessary layer of complexity, if your organization is small, or if its just you, doing a hobby project.
Read other posts