HashiCorp Vault sealing questions

3.1k views Asked by At

I've started playing with Hashicorp's Vault to manage secrets and had some questions about the day-to-day of Vault sealing. My workflow has two auth backends; specific users access Vault with write access to add new secrets, servers have readonly access for the secrets they need.

1) Under normal circumstances, does the Vault stay in an unsealed state? I believe it would as a dynamically provisioned server should not have to coordinate an unseal.

2) Is the purpose of sealing to off-board staff to rotate keys and in case of an intrusion?

3) What's the best practice for ensuring the vault process is always running, since if it dies the Vault will seal? Also, in a highly available configuration, if one Vault node's process dies, does it seal the Vault for everyone?

2

There are 2 answers

0
Dan Stark On BEST ANSWER

I asked this question on the Vault Google Group and this was the best response:

1) Under normal circumstances, does the Vault stay in an unsealed state? I believe it would as a dynamically provisioned server should not have to coordinate an unseal.

Yes. Once Vault is initialized and unsealed, it 'normally' stays in an unsealed state.

2) Is the purpose of sealing to off-board staff to rotate keys and in case of an intrusion?

Sealing of Vault enables a turn key mechanism to stop all the services of Vault. It would require a specific number of unseal key holders to make Vault operational again.

3) What's the best practice for ensuring the vault process is always running, since if it dies the Vault will seal? Also, in a highly available configuration, if one Vault node's process dies, does it seal the Vault for everyone?

There is no official best practice recommendation for this. But running Vault in a dedicated instance/cluster with very limited/no-access to its memory. Running Vault in a HA mode using a backend which supports it is good. If any of the cluster nodes goes down or if the Vault process is restarted, it will be in a sealed state and would require the unseal operation to be performed to make it operational.

Best, Vishal

0
Justinas Jakavonis On

Taken from https://www.vaultproject.io/docs/concepts/seal.html:

  1. "Under normal circumstances, does the Vault stay in an unsealed state?" -

When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it.

Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault.

Prior to unsealing, almost no operations are possible with Vault. For example authentication, managing the mount tables, etc. are all not possible. The only possible operations are to unseal the Vault and check the status of the unseal.

  1. "Is the purpose of sealing to off-board staff to rotate keys and in case of an intrusion?" -

This way, if there is a detected intrusion, the Vault data can be locked
quickly to try to minimize damages. It can't be accessed again without access to the master key shards.

  1. "since if it dies the Vault will seal?" - yes.