A short sweet intro to Vault
Hashicorp Vault has been a rising star in managing credentials for open source powered organizations. Vault has significantly done a good job in keeping up the development, and the wide plugin support over most of DevOps / SysOps toolsets. Wanna use Vault in Jenkins, go ahead! There is already a Hashicorp Vault Plugin out there! You use Terraform too? Built by the creators of Terraform, Vault has made credential management systems in complex organizations a piece of cake. 🍰
What makes Vault unique, is the availablity of an open HTTP API and a powerful command line interface, which can literally satisfy any average developer. Oh, you are a new-out-of-box? It has a well designed Web UI too! ✨
Also, take a look at the command line tool:
Usage: vault <command> [args]
Common commands:
read Read data and retrieves secrets
write Write data, configuration, and secrets
delete Delete secrets and configuration
list List data or secrets
login Authenticate locally
agent Start a Vault agent
server Start a Vault server
status Print seal and HA status
unwrap Unwrap a wrapped secret
Other commands:
audit Interact with audit devices
auth Interact with auth methods
debug Runs the debug command
kv Interact with Vault's Key-Value storage
lease Interact with leases
monitor Stream log messages from a Vault server
namespace Interact with namespaces
operator Perform operator-specific tasks
path-help Retrieve API help for paths
plugin Interact with Vault plugins and catalog
policy Interact with policies
print Prints runtime configurations
secrets Interact with secrets engines
ssh Initiate an SSH session
token Interact with tokens
Vault uses an interesting design in encryption which interests corporates into investing into setting up Vault as credential manager. The idea is taken from none other than one of the co-founders of RSA itself, Adi Shamir, called Shamir’s Secret Sharing.
From the Wikipedia,
Shamir’s Secret Sharing (SSS) is used to secure a secret in a distributed way, most often to secure other encryption keys. The secret is split into multiple parts, called shares. These shares are used to reconstruct the original secret.
To unlock the secret via Shamir’s secret sharing, a minimum number of shares are needed. This is called the threshold, and is used to denote the minimum number of shares needed to unlock the secret.
Well, it depends on the company if they decide to adopt it, but yes. This is the principle behind Vault.
Hashicorp Vault provides a Vault-as-a-Service, if you prefer to invest in that. But sometimes, it might be nice to have your own copy of Vault, preferably behind your firewall. After all, installing Vault is a piece of cake.
Vault brings in a high learning curve, but once understood; it technically makes credential mangement in a large team more smooth. At least, we can not store credentials on GitHub or GitLab, or not send them through Slack please. 🥺
Vault might be an unnecessary layer of complexity, if your organization is small, or if its just you, doing a hobby project.
Read other posts