A short sweet intro to Vault

2021-08-10 hashicorp vault credentials DevOps

Hashicorp Vault has been a rising star in managing credentials for open source powered organizations. Vault has significantly done a good job in keeping up the development, and the wide plugin support over most of DevOps / SysOps toolsets. Wanna use Vault in Jenkins, go ahead! There is already a Hashicorp Vault Plugin out there! You use Terraform too? Built by the creators of Terraform, Vault has made credential management systems in complex organizations a piece of cake. 🍰

What makes Vault unique, is the availablity of an open HTTP API and a powerful command line interface, which can literally satisfy any average developer. Oh, you are a new-out-of-box? It has a well designed Web UI too! ✨

Vault Web UI

Also, take a look at the command line tool:

Usage: vault <command> [args]

Common commands:
    read        Read data and retrieves secrets
    write       Write data, configuration, and secrets
    delete      Delete secrets and configuration
    list        List data or secrets
    login       Authenticate locally
    agent       Start a Vault agent
    server      Start a Vault server
    status      Print seal and HA status
    unwrap      Unwrap a wrapped secret

Other commands:
    audit          Interact with audit devices
    auth           Interact with auth methods
    debug          Runs the debug command
    kv             Interact with Vault's Key-Value storage
    lease          Interact with leases
    monitor        Stream log messages from a Vault server
    namespace      Interact with namespaces
    operator       Perform operator-specific tasks
    path-help      Retrieve API help for paths
    plugin         Interact with Vault plugins and catalog
    policy         Interact with policies
    print          Prints runtime configurations
    secrets        Interact with secrets engines
    ssh            Initiate an SSH session
    token          Interact with tokens

Vault uses an interesting design in encryption which interests corporates into investing into setting up Vault as credential manager. The idea is taken from none other than one of the co-founders of RSA itself, Adi Shamir, called Shamir’s Secret Sharing.

From the Wikipedia,

Shamir’s Secret Sharing (SSS) is used to secure a secret in a distributed way, most often to secure other encryption keys. The secret is split into multiple parts, called shares. These shares are used to reconstruct the original secret.

To unlock the secret via Shamir’s secret sharing, a minimum number of shares are needed. This is called the threshold, and is used to denote the minimum number of shares needed to unlock the secret.

Well, it depends on the company if they decide to adopt it, but yes. This is the principle behind Vault.

Hashicorp Vault provides a Vault-as-a-Service, if you prefer to invest in that. But sometimes, it might be nice to have your own copy of Vault, preferably behind your firewall. After all, installing Vault is a piece of cake.

Vault brings in a high learning curve, but once understood; it technically makes credential mangement in a large team more smooth. At least, we can not store credentials on GitHub or GitLab, or not send them through Slack please. 🥺

Vault might be an unnecessary layer of complexity, if your organization is small, or if its just you, doing a hobby project.

Read other posts