When thinking about how to securely deliver secrets to our applications, we often run into chicken-and-egg scenarios where, in order to encrypt secrets, we create an unencrypted key to open up that encryption for regular use. Learn how Vault AppRole can help with this secure introduction problem.
Whenever a security group chooses to opt for the auto-unseal functionality of Vault instead of the default Shamir's secret sharing approach, you'll encounter the "secret-zero" problem. In order to authenticate safely, you'll need to use an HSM or cloud KMS for auto-unseal, but this means there's now a shared key to those systems stored outside the HSM or the Cloud KMS in a script that starts the auto-unseal process.
In this webinar, Teddy Sacilowski introduces how authentication in Vault works, gives an overview of the AppRole Auth Method, and explains how it integrates with Terraform and Chef. Finally, Teddy gives a demo of how this can be used to mitigate the secret-zero problem and wraps up by answering questions from the audience about Vault.