Secrets Management in Low Trust Networks

Centrally store, access, and deploy secrets across applications, systems, and infrastructure

The Challenge

Secrets for applications and systems need to be centralized and static IP-based solutions don't scale in dynamic environments with frequently changing applications and machines

The Solution

Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity

Dan_McTeer_Adobe_HashiConf2017

Using Vault to Protect Adobe's Secrets and User Data Across Clouds and Datacenters

Securing secrets and application data is a complex task for globally distributed organizations. For Adobe, managing secrets for over 20 products across 100,000 hosts, four regions, and trillions of transactions annually requires a different approach altogether.

Read Case Study

Secret Management Features

Dynamic Secrets

Dynamically create, revoke, and rotate secrets programmatically

Secret Storage

Encrypt data while at rest, in the storage backend of your choice

  1. $ cat vault.config
  2. storage "consul" {
  3. address = "127.0.0.1:8500"
  4. path = "vault"
  5. }
  6. listener "tcp" {
  7. address = "127.0.0.1:8200"
  8. }
  9. telemetry {
  10. statsite_address = "127.0.0.1:8125"
  11. disable_hostname = true
  12. }

Secure Plugins

Improve the extensibility of Vault with pluggable secret backends

  • MySQL Logo
  • Cassandra Logo
  • Oracle Logo
  • Consul Logo
  • AWS Logo
  • MongoDB Logo
  • PostgreSQL Logo
  • Microsoft SQL Server Logo

Detailed Audit Logs

Detailed audit log of all client interaction (authentication, token creation, secret access & revocation)

  1. $ cat audit.log | jq {
  2. "time": "2018-08-27T13:17:11.609621226Z",
  3. "type": "response",
  4. "auth": {
  5. "client_token": "hmac-sha256:5c40f1e051ea75b83230a5bf16574090f697dfa22a78e437f12c1c9d226f45a5",
  6. "accessor": "hmac-sha256:f254a2d442f172f0b761c9fd028f599ad91861ed16ac3a1e8d96771fd920e862",
  7. "display_name": "token",
  8. "metadata": null,
  9. "entity_id": ""
  10. }
  11. }

Leasing & Revoking Secrets

Manage authorization and create time-based tokens for automatic revocation or manual revocation

  1. $ vault read database/creds/readonly
  2. Key Value
  3. --- -----
  4. lease_id database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
  5. lease_duration 1h0m0s
  6. lease_renewable true
  7. password A1a-w2xv2zsq4r5ru940
  8. username v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
  9. [...]
  10. $ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
  11. Key Value
  12. --- -----
  13. lease_id database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
  14. lease_duration 1h0m0s
  15. lease_renewable true
  16. $ vault lease revoke database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809

Ready to get started?

Download Explore Docs