HashiCorp Vault and MariaDB
Vault is open source software for secret management provided by HashiCorp. It is designed to avoid sharing secrets of various types, like passwords and private keys. When building automation, Vault is a good solution to avoid storing secrets in plain text in a repository.
MariaDB and Vault may relate each other in several ways:
- MariaDB secrets can be stored in vault. Typically this includes users passwords and private keys for SSH access.
- MariaDB (and MySQL) can be used as a secret engine, a components which stores, generates, or encrypt data.
- MariaDB (and MySQL) can be used as a backend storage, providing durability for Vault data.
Vault is used via an HTTP/HTTPS API.
Vault is identity-based. Users login and Vault sends them a token that is valid for a certain amount of time, or until certain conditions occur. Users with a valid token may request to obtain secrets for which they have proper permissions.
Vault encrypts the secrets it stores.
Vault can optionally audit changes to secrets and secrets requests by the users.
Vault is a server. This allows to decouple the secrets management logic from the clients, which only need to login and keep a token until it expires.
The sever can actually be a cluster of servers, to implement high availability.
The main Vault components are:
- Storage Backed: This is where the secrets are stored. Vault only send encrypted data to the backend storage.
- HTTP API: This API is used by the clients, and provides an access to Vault server.
- Barrier: Similarly to an actual barrier, it protects all inner Vault components. The HTTP API and the backend storage are outside of the barrier and could be accessed by anyone. All communications from and to these components have to pass through the barrier. The barrier verifies data and encrypts it. The barrier can have two states: sealed or unsealed. Data can only pass through when the barrier is unsealed. All the following components are located inside the barrier.
- Auth Method: Handles login attempts from clients. When a login succeeds, the auth method returns a list of security policies to Vault core.
- Token Store: Here the tokens generated as a result of a succeeded login are stored.
- Secrets Engines: These components manage secrets. They can have different levels of complexity. Some of them simply expect to receive a key, and return the corresponding secret. Others may generate secrets, including one-time-passwords.
- Audit Devices: These components log the requests received by Vault and the responses sent back to the clients.There may be multiple devices, in which case an Audit Broker sends the request or response to the proper device.
Content initially contributed by Vettabase Ltd.