Are secrets stored in vault db cleartext after unsealing?

82 views
Skip to first unread message

Alex G

unread,
Sep 13, 2017, 9:39:53 AM9/13/17
to Vault
Hi.

I know it would make no sense, but it is unclear from the official documentation whether secrets stored in the vault db are cleartext(unencrypted) after unsealing or not.

Since we're already discussing the ins and outs, a few more thoughts on vault architecture;

  1. Is there a best prac for vault security configuration available?
  2. is it possible to mount the vault db off the vault server, could it be considered more secure since it would seem that the vault server only holds the master key(unencrypted if unsealed) and compromise of the db / db infrastructure yields only encrypted data?
  3. How does the vault db authenticates the vault server, how is that access further secured(in transit, access control, etc)?
Appreciate your time,

Cheers,
-Alex G

Alex G

unread,
Sep 13, 2017, 10:18:14 AM9/13/17
to Vault
4. Does vault support OpenDJ Directory for authentication of access and autherization of access to secrets?

Armon Dadgar

unread,
Sep 13, 2017, 2:48:42 PM9/13/17
to Alex G, vault...@googlegroups.com
Alex,

It might be helpful to review the Vault architecture docs: https://www.vaultproject.io/docs/internals/architecture.html
Vault encrypts data in transit and at rest, but to each of your questions:

1) There is a best practices production hardening guide here: https://www.vaultproject.io/guides/production.html
In general for Vault policies, you should follow the principle of least privilege and only grant as much access as needed. Vault follows a default-deny model as well.

2) Vault stores data at rest via a storage backend. Everything in the storage backend is encrypted at rest. There are many different backends possible, and they do not need to be on box with Vault: https://www.vaultproject.io/docs/configuration/storage/index.html

3) Depends on the Vault storage backend. Storage is treated as untrusted, so Vault encrypts and authenticates all data going to/from the backend.

4) As long as OpenDJ implements the LDAP protocol, the existing LDAP support should work: https://www.vaultproject.io/docs/auth/ldap.html

Hope that helps!

Best Regards,
Armon Dadgar
--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/febe2484-427e-4cb1-994c-016ac199adf5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages