By: Saif Raza Raja
July 14, 2020
"Vault Fundamentals" Course Review
By: Saif Raza Raja
July 14, 2020
Cybrary's course on "Vault Fundamentals" discusses a very interesting and comprehensive solution to every organization. It is a tool for securely accessing secrets that you want to have tightly controlled access and recording a detailed audit log. These secrets include such things as API keys, passwords, or Certificates. This course covers all phases of the Vault Fundamentals in detail and shows how they're applied in real-world situations. In this course, you will learn about Vault's concepts, it's management, it's dynamic secrets in action and a lot about other secrets and their management.
Developed by the organization known as HashiCorp, Vault provides a unified interface to any secret which you want to preserve in a tight controlled-access environment. A modern system requires access to a certain level of secrets, such as database credentials, API keys for external services, etc. Maintaining track of all of these secrets is almost impossible. This is where Vault is used. The key features of Vault are:
- Secure Secret Storage.
- Dynamic Secrets.
- Data Encryption of Secrets.
- Leasing and Renewal of Secrets.
- Secret Revocation.
All data is encrypted by Vault with an encryption key before Writing/Saving it to the store. This encryption key is encrypted by another key – the master key, which is later used at startup only.
An important feature in Vault's implementation is that the master key is not stored in the server, which means that saved data cannot be accessed by Vault after startup. At this point, a Vault instance is said to be in a "sealed" state. To access secrets in Vault, the client first needs to authenticate using one of the supported methods. The simplest method used by Vault is Tokens, which entails using a special HTTP header to send a set of strings on every API request.
Dynamic Secrets are generated by Vault when requested by an application. There are several types of secrets. Dynamic secrets that are supported by Vault are secrets such as Database Credentials, SSH key pairs, AWS Credentials, Active Directory accounts, Google Cloud service accounts, etc.
Cybrary's course highlights the importance of Vault, and the course is split up into nine modules. The first module is an introduction to the course and leads into the second module, which provides an overview of Vault, as well as the technologies that complement it and serve as alternatives to it. The third module goes over secret storage within Vault and provides a demonstration of the environment setup. This goes into the fourth module, which provides an overview of vault concepts that are important to know when implementing. The fifth module examines access control lists and entities, aliases, and groups while providing a demonstration of labs to follow along. Module six is a continuation of secret storage, module seven provides more demonstrations of labs, specifically to inspect AWS secrets and Database secrets, and module eight touches upon encryption as a service. The course wraps up with a summary of everything that was taught previously.
Ultimately, this Cybrary course provides a deeper understanding of Vault's features and how it can improve a business' security posture.