Developer Tharun
Developer Tharun
Hashicorp Vault | Dev and Prod server setup | Unseal | Policies | TLS setup | Developer Tharun
Hey there! Follow the podcast if you like the episode
This is Tharun. In the Developer Tharun Podcast, I speak about Software Engineering
Thank you for Listening
In this Episode
- Vault server setup flow
- What is seal/unseal of Vault server?
- Policies
- Difference between server in Dev mode & Prod mode
And more...
Vault stores data in encrypted format. The encryption key that is being used to encrypt/decrypt the data is also stored along with rest of the data in the keyring. When a Vault server starts, it knows where the data resides through the configuration that we provide Vault with but doesn't know how to decrypt the encryption key that is present in the keyring along with the Vault encrypted data.
Here comes the master key that is used to decrypt the encryption key which is also present alongside all other Vault data. This master key is also encrypted and we need a special key that can decrypt the master key, this key is known as Unseal key.
The Unseal key is generated during the init process using an algorithm known as 'Shamir's secret sharing', where the unseal key is split into certain number of unseal keys 'X' and every time we want to unseal the Vault server we will need a certain number of unseal keys 'Y' and these 'X' and 'Y' values can be decided by the Vault architect when initializing the Vault server.
The main intention of creating several unseal keys is to distribute these unseal keys among several stakeholders such that, a minimum number of stake holders are needed to unseal the server or perform major operations on the server.
What are policies?Policies help you create rules that define access to various secrets. We can create policies that allow certain level access like create access, update access, read access, delete access and so on. We then assign this policy to a particular authentication mechanism of a user. This user will have only those access mentioned in the policies attached to his credentials. This way, Vault makes sure that we provide minimal and only necessary access to Vault stakeholders.
