What do you need to consider before setting up Vault?
How long does it take to set up HashiCorp Vault? It depends. Vault integrates quickly with common user authentication setups and existing key-storage infrastructures.
Speakers
Andy ManoskeVault Product Manager, HashiCorp
Transcript
When we think about setting up and deploying Vault—really operationalizing Vault as a whole—there are a number of things that one needs to consider that are surprisingly lightweight compared to the alternative of setting up and deploying one's own cryptographic infrastructure.
Setting up Vault users
The first thing that you need to think about is: Who are my users or applications that are going to be connecting to Vault, storing secrets there, and ultimately handling security orchestration workloads within the context of what Vault is attempting to protect? The way that you attest those identities is a very critical and important part of using Vault, and to do that you'll need what are called authentication methods to be configured for Vault.
Now, you already have, generally, many of these authentication methods present within your infrastructure. They come in names like LDAP or active directory or certificate-based authentication. Vault seamlessly works with these types of environments to provide you the capability of using the identities that you already have in conjunction with storing either sensitive information that you already have and need to protect, or new sensitive information that needs to be protected and ultimately orchestrated with.
Picking a location for key storage
The second thing that you need to think about is, ultimately, how do I protect the cryptography that surrounds Vault at all times? Unlike other solutions that require you to set up and deploy your own key management infrastructure, Vault handles all of its own key management internally. The thing that one needs to consider, however, with Vault, is where do those keys sit? When I say that, I mean in the sense that there are a number of different ways that one can protect the keys that Vault uses to encrypt itself both in flight and at rest.
There are two ways to think about this. The first is when you're using Vault's open source, how do I take the Shamir key shards, which are the number of different individual keys needed to unlock and get Vault up and running, and where do I need to store them? That's the thing that you need to think about and figure out with regards to how those keys are stored and retrieved.
If you're using Vault Enterprise, much of this is taken away as something that you need to think about. The necessity there is obviated, especially if you already have components like an HSM (Hardware Security Module) or if you're using cloud infrastructure like AWS KMS, Google Cloud KMS. With those kinds of systems, this provides you with the capability to use and leverage the security infrastructure that you already have to automate the process of getting Vault up and running.
But, combined with these two things, off methods as well as with auto and seal methods within Vault Enterprise, or methods to retrieve and use the Shamir's keys within Vault open source, you can get Vault set up and running within a number of hours—or even minutes.
