4 hours 53 minutes
Miss Module, we're gonna talk about technologies that complement your use. A vault
has. She Corp console is a product used to manage service discovery
as well as monitoring and configuration. So think about having all these different micro services running. How are you going to keep a registry to track which machines which I P addresses the different services air running on, of course, getting guided and pointing to healthy instances of those different services
on do so, you're forwarded to the right location and then managing some configuration information about
different services. This is a thing, that concept. Thus it can be used to store secrets. But that's really not its main intent. In fact, the secrets themselves they don't get encrypted before their persisted to disk, and they're not
encrypted when put in transit.
Not to mention there's no auditing capability on the secrets that you may choose to storing console, but the to actually work well in tandem and particularly when you want to set up and build out a high availability vault environment where you have multiple vaults, servers and then consul is monitoring the health of those servers,
helping with data replication and persistence and storage
of the vault data.
Um, and and so it helps bulk being an expand ball to be highly scalable. Hi, Lary Fault tolerant Andi to our complementing each other in this series. We're not going to be going so far as to build out,
um, over bust, high availability. Instance, a vault.
But, um, if you want to do that, when you want to do that and you're really looking to deploy this primetime console is going to be a very nice complimentary application to help you do that.
What about configuration management tools? Answerable chef, puppet, thes air, The tools that are used to help configure your servers. Your machines run scripts, make sure everything is installed on on a cluster of machines and that they're all near identical in the way that they're they're built. This is the
one of the key four founding fathers. When it comes to the concept of infrastructure is code right?
Orchestrates a lot of the automation. One of the downsides of using these with regards to the bad practices that people may have is oftentimes the scripts themselves. When they're setting up a server, they will have the keys embedded in them or they will have secrets embedded them and in the actual scripts,
and you want to avoid doing that.
And, yes, these technologies have encryption capabilities.
Chef has data bags, Puppet has he era and so forth. But even those encryptions are there just a single secret encryption. So it's a really light level of encryption, not near the level of diligence that you're going to get with vault. But these are very complimentary. Vault has no business
in Salling and packages on a machine and setting up and making sure
the servers configured in the way that you want it to be. But it does very well at secrets so you can have your chef scripts. You're answerable scripts, actually retrieving the secrets from Vault using consul template. We're not going to get into the use case of setting that up,
but there's a great entry on the Hash Corp
blawg that talks about configuring chef and using consul template to pull secrets out of vaulted runtime so you can apply those secrets, retrieve them there, they're encrypted in transit. They come down to the machine that the chef's recipes air running on and and then you can apply the secrets on those servers.
Hardware security modules or HS EMS, the Zahra software and hardware combined type solution to really specialize in terms of storing encryption, storing the keys themselves, performing encryption operations right with a tandem of specialized hardware and very
optimized in tune software.
They manage it. If somebody wants to, physically gets access to the device, preventing them from breaking in, preventing them from all sorts of side channel attacks through through listening and trying to decode. A real high level of security has brought to the table with many of these devices meeting the Phipps 1 40 dash to
They can be cost prohibitive. So, depending on the size of your organization budget and just how tightly you want to keep track of your secrets, these may not be the option. You can, of course, by them, install them in your own dentist center and manage the physical access controls. But you can also lease
hs EMS from Amazon from hazard.
Just is is a bit of point of reference I was looking at How much does the Amazon cloud HSM cost? And you're looking at about a unfroze cost of about $5000. So maybe that's nothing. Maybe it's worth the money for you. Maybe you don't want to go in HSM route,
but they're very complimentary.
Um, when it comes to HSM is involved. In fact, Vault enterprise provides a lot of extensive HSM support for your proprietary things. So one of the things about vault itself is all the data, the configurations and parts
in pieces and in the secrets themselves.
They, of course, get encrypted not only in transit, but also when the data is at rest and all that encryption requires some master key to decrypt, and we'll get into that whole process on later models. But that master key itself
can be stored in these HSM. So you're really locking down and securing
the key to the kingdom, so to speak. And that process of applying the master key to decrypt all of this encrypted information that vault storing is referred to as unsealing so which you can realizes automated unsealing by pulling these master keys which are securely stored in an HSM,
it also the enterprise version. You get Phipps key storage to provide functionality for critical security parameters through seal wrapping and an entropy augmentation. So the lot of encryption algorithms require random izing
of numbers to keep things.
And in that concept of entropy, you can use the HSM is themselves and their cryptographic implementations, and how they realize that entropy, which are just another level of advancement again you may not need to go this far. It just depends on how strong
the security needs are for what you're building.
If you're creating medical devices, defense things that can actually cause physical harm to people, and you want to lock that down, this is definitely worth exploring.
To recap what we learned in this module,
we looked at fault how it's complemented by Hash Corp. Consul for high availability hardware, security modules for secure storage, down to the hardware level and configuration management products like answerable, chef
Let's see how much you've absorbed from the first few modules of this training course.
Which of the following capabilities is vault well suited for
hit the pause button? If you want, I'm going to jump straight to the answers here. Well, let's walk through the different options.
Large binary objects? No, a tzar storage aws s three buckets even and blob storage types on certain relational databases. File systems, of course. These air things that you can use to store large binary objects. The vault is not for that, um,
managing sense of metal wrecked medical records. Yes, vault stores sensitive information, but it is not intended to host medical records and large quantities of private information. You can encrypt that. Put that in a database or some other store. And Vulcan definitely help you with the encryption.
It can definitely manage the keys that you used to perform that encryption.
What about securely storing key pairs for asymmetric encryption? Yes, definitely in the wheelhouse of vault, something that it does quite well. Orchestrating in scaling container based workloads, particularly in the cloud, right? No, this is not what vault does kubernetes
hash cortese of products called Nomad.
These air designed to provide those capabilities
persisting customer specific encryption keys Yes, vault right in his wheelhouse, authorizing access to secrets and keeping an access log another core capability that vault provides. So hopefully you got these right, and you said C E and F that wraps it up for this lesson. Look forward to seeing you back for the next lesson.