I've started playing with Hashicorp's Vault to manage secrets and had some questions about the day-to-day of Vault sealing. My workflow has two auth backends; specific users access Vault with write access to add new secrets, servers have readonly access for the secrets they need.
1) Under normal circumstances, does the Vault stay in an unsealed state? I believe it would as a dynamically provisioned server should not have to coordinate an unseal.
2) Is the purpose of sealing to off-board staff to rotate keys and in case of an intrusion?
3) What's the best practice for ensuring the vault process is always running, since if it dies the Vault will seal? Also, in a highly available configuration, if one Vault node's process dies, does it seal the Vault for everyone?
I asked this question on the Vault Google Group and this was the best response:
1) Under normal circumstances, does the Vault stay in an unsealed state? I believe it would as a dynamically provisioned server should not have to coordinate an unseal.
Yes. Once Vault is initialized and unsealed, it 'normally' stays in an unsealed state.
2) Is the purpose of sealing to off-board staff to rotate keys and in case of an intrusion?
Sealing of Vault enables a turn key mechanism to stop all the services of Vault. It would require a specific number of unseal key holders to make Vault operational again.
3) What's the best practice for ensuring the vault process is always running, since if it dies the Vault will seal? Also, in a highly available configuration, if one Vault node's process dies, does it seal the Vault for everyone?
There is no official best practice recommendation for this. But running Vault in a dedicated instance/cluster with very limited/no-access to its memory. Running Vault in a HA mode using a backend which supports it is good. If any of the cluster nodes goes down or if the Vault process is restarted, it will be in a sealed state and would require the unseal operation to be performed to make it operational.
Best, Vishal