4 hours 53 minutes

Video Transcription

in this video, we're going to go over the data key capabilities of encryption as a service and touch on the different use cases. Why this could be helpful to you
in your overall secrets management in different scenarios. And then we're going to get hands on with generating a data key, looking at the plain text version of it, the encrypted version. And then we're gonna decrypt that data key and compare it to it's plain text version of the data key just for some checks and balances
to come back to the Web. You I drilling into the encryption as a service in the M. I six. Let's look at some of the key actions that we can perform and touch on data key.
So why would you want to use a data key in the first place? Let's say you have a situation where you want to distribute keys out, and those keys themselves will be used to perform encryption of certain information. So we have recovered the core situation where
you send data to vault
and you say, Hey, vault, encrypt this data and then vault sends it back in a cipher format, right? It's all encrypted.
But there may be situations where you want to encrypt some extremely large data files, images, video, audio, other other things that are just really big, right large amounts of a binary, maybe an entire database. And so sending it across the wire to vault,
you're gonna have some problems. Not that vault can't handle the CPU,
but just some bandwidth. The Networx laid see problems. It's just not a good idea. So in this situation, what fault will do is it will generate a key for you and that external process that's running and performing the encryption, which you have to really trust. It's going to get that key from vault.
It's going to encrypt what it needs to with that key,
and it's not going to store that key. But what it will store is the encrypted version of the Key, which vault is also handing over when the initial key is being requested. Right, so it's got a lot of random ization that's coming from vaults to make sure this key is unique
and all sorts of things in that regard, and then you're also getting an encrypted version of the key.
So when it comes time to decrypt.
You can then take that encrypted version of the key
handed back to vault.
It will give you the the decrypted version of the key. And then the application uses the decrypted key to decrypt the large file that was encrypted. And at no point do you want to persist the unencrypted version of the key.
I hope that makes sense. Let's go with plain text here, and we're gonna generate a data key. And so what? This is like saying Teoh to your application. Here's the plain text version of the key. This is the key. And then this here is a cipher text. We're gonna copy that off. And that is the key itself encrypted
in such a way that it needs to come back to vault and use the V two
version of the key that vault itself is managing. And so we're putting some good faith that this plain text version off the key is not gonna be. Protest persisted anywhere because if that happened and then the key got out, all this encryption we performed on this very large file is really for not.
But when it does come time to do the decryption here in the plain text we see l Y four equals. So we were then have another process Come. It persists that key the encrypted version of this key. And it says I need to now decrypt this big file. I have the encrypted version of the key. Hey, Vault,
Can you decrypt this key to me
for me? Rather, it's going to return this and again, l why four equals. Of course, this is in base 64. Encoding. The key itself that Bolt's generating. It's kind of this binary mess, right? It doesn't really look too good on the Web interface,
and it would look a little funny in your terminal, cause these aren't asking based keys.
But the point in the the use case that I wanted to touch on here is for those odd edge cases where you want a handout, AKI, just for some temporary activities to take place outside of the vault server, the encryption itself will not happen on the vault server, and you also wanna have some degree of faith that that key
in its plain text form isn't going to be persistent and potentially leaked.
So what you do is you say? Well, let's store an encrypted version of that key. And when it's time to decrypt first you come back to vault, then you will decrypt the key. Then you will decrypt whatever content was encrypted using that particular key.

Up Next

Vault Fundamentals

Learn how HashiCorp Vault can improve your security posture when it comes to storing sensitive passwords, maintaining confidential keys, implementing encryption, and establishing robust access management.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott