Best way to move secrets to another mount

[Shota Megrelishvili]

Hello,

I'm planning to use Vault+Consul in my project and thinking about the best architecture to implement for storing data securely. The question is how can I easily move stored secrets from one mount to another?

Current architecture I'm implementing:

1. Public web-sever that customers store their secret data.

2. Separate secure Vault Server that is accessible only through HTTP API (app_id/user_id).

Data uploaded by customers are directly stored at Vault server through HTTP API.

For these purposes, I created two mounts:

1. A web-server storing secret data on separate vault server by using app_id authentication method. app_id is using a specific role to save data to MOUNT_A (write permissions on that mount only) with HTTP API.

2. To prevent the leak of the secret data, even if hacker is successful to get root access on the web-server, the plan is to automatically move the data from MOUNT_A to MOUNT_B as a batch process running on Vault Server.

The MOUNT_B could be accessed via different role with special ACL.

The question is: what is the best practice to move the data from MOUNT_A to MOUNT_B?

The only way I can think about right now is:

Write a special script and store it on Vault Server. The script will know what to read from MOUNT_A, then write it on MOUNT_B and then remove from MOUNT_A.

Is this approach optimal?

Thank you in advance!

[Armon Dadgar]

Hey Shota,

That is probably the best way currently. Vault has no notion of a “move”,

so doing a read from MOUNT_A, write to MOUNT_B, and delete from MOUNT_A

is the best way to achieve this.

Best Regards,

Armon Dadgar

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/cf2387bb-2368-425d-a317-830d39c8420a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.