4 hours 53 minutes
Let's begin our journey and the vault
by understanding the domain in which it operates the problems that the product is trying to solve.
Vault is a secrets manager,
but when we talk about secrets, we're not talking about the kind of secrets that you whisper in somebody's here.
We're talking about credentials, things that give you access. Authorization.
Two different computer systems, such as user name and password, AP I tokens, database credentials,
even private keys and certain other certificates.
There's a real challenges in this environment when we talk about sacred management such as controlling, who do we give these secrets to? Do we give these to other human beings to people?
But we also need to consider controlling, giving these to service accounts, principals and other applications that need these secrets to do what they're supposed to dio.
We have additional challenges of updating secrets and keeping track of changes that occur. Of course, there may be problems
compromise. We suspect there's compromise and we want to revoke a secret. We want to invalidate it.
When did track who is using these different secrets having some audit, logging around it as a benefit of tracking who was using the secret.
We know when something's changed. We can broadcast events, so these people who rely on the secrets become aware of the change that's taken place. I mentioned a type of secret called Keys,
and this in the world of encryption keys are just a real quarter stone to the way modern cryptography works. They relies heavily on keys. We're gonna talk a lot about keys when we talk about vault storing keys as well as how vault itself were lies on and uses keys. So I want to spend a little bit of time reviewing
keys and how they pertain to encryption.
Specifically there. Two general categories of encryption algorithms that rely on keys. First, we have symmetric encryption. It's a real well known technique where you have plain text on the left.
You want to encrypt it, so you use your secret key.
It is then transferred in. The cipher text is delivered to your recipient, and then they can decrypt that cipher text using their secret key. And now they see your message in plain text. This is a good approach when you say one encrypt information going to disk before it actually gets stored to disk.
And you know you're gonna be able to hold on to that secret key,
Um, and kind of use it and been both ways for the encryption operation and the decryption Operation Blowfish, a SRC four deaths thes are encryption algorithms that follow the symmetric encryption mindset where the same secret key is used by both parties involved in the communication.
But there's a big disadvantage to this
in that distributing that secret key in a secure manner to both parties and all parties involved can be very difficult. So enter the concept of asymmetric encryption. Also referred to his public key cryptography. Asymmetric encryption uses a key pair, so
all parties involved
have a public key and a private key. And there's a special relationship between that public he and the private key such that if I encrypt a message using a public key, it can only be decrypted using the associate ID Private key.
Conversely, if a message is encrypted using a private key, it can only be decrypted using the corresponding public.
So let's take a simple example where Bob and Alice want to send a message to each other, and it's a secure message and they want it encrypted in transit, and they didn't have the opportunity to use a shared key. So symmetric encryption is out is not an option for them.
They're gonna take the asymmetric encryption approach. Now. Each Bob and Alice each have their own public private pair of keys. Neither of them are going to give anybody else
access to the private key, but they're each going to exchange their own public e. So if you imagine Alice is on the left, she gets Bob's public key,
and she has a message she wants to send a bobble, were on the right. She will encrypt that message using Bob's Public Key.
As a result, that encrypted message can only be decrypted
by Bob using Bob's private key. If he wants to send a message back to Alice, he will do the converse. He will take the message he wants to send. He will encrypt it using Alice's public key. He will send that to Alice, and it'll be in cipher texts when he's when he's sending it to her.
And then she will decrypt it
using her private key. So that's the essence of asymmetric encryption, very common algorithms that that leverage this method R R s a. D s, a elliptic curve techniques p k CS. It is very prevalent on the Internet, as you can imagine, because the concept of having a shared key
and trying to go symmetric encryption
it is difficult, right? You want to be able to give these public keys and you're doing it over the Internet. You can't trust who's listening and he's dropping. So public keys get exchanged in handshaking process using TLS. And that's where
Bob and Alice are going to exchange their public keys. And then they'll follow the process that I was just describing, often
exchange a a symmetric encryption key that then they can use for further communication. Andi, they've done the handoff between each other and a very secure manner.
So we define the secrets
we've talked about. The nuances of keys and their role in cryptography is a secret. What is hashtag or vault, too?
First and foremost, it is centralized secrets storage. So it's job is to keep the secrets themselves, secure distribution, persistence all the above.
Another major pillar of hashtag, or vault, is generating secrets. This is preferred to his dynamic secrets, and we'll get deeper into this. But if you could imagine, it's being able to create unique credentials for different clients, right, so so that
you have a customer. A. They get a certain token and customer be gets a different token,
so that if there's ever a problem with customer be, you can invalidate that individuals token. Or that entities token and customer A doesn't need any updates because there was no compromise of their token right. And being able to dynamically distribute thes and set lease periods for shorter life spans
is a very powerful thing. And it's all about minimizing the blast radius when some some secrets are leaked and there's compromise so you can renew, refresh and change the secret without affecting everything else in the entire system. Right?
Um, finally, we have encryption as a service, so encryption itself is very difficult. I gave an overview of
symmetric encryption, asymmetric encryption, and it got a little dicey talking about public keys, private keys, and we didn't even get into the nuances of the math. And in the the exponential math and the module lists and all these things that go on behind the scenes to really get that cryptography, and so it's very difficult for a lot of developers to get it right.
So what vault conduce you
is perform encryption for you. So you call vault server as a service, and it will actually do the encryption for you and provide it. And that way you're reducing the margin of air that can be introduced by programmers either incorrectly
implementing an encryption algorithm or just incorrectly using an encryption library.
Um, and it reduces the transferring of foreign keys. So if you have programs, for example, that need to do symmetric encryption or even asymmetric those programs themselves, if they themselves are going to be doing the encryption, they need to have the keys in their hand. But if you delegate the encryption and the decryption process is off the vault,
the keys actually don't need to leave vault.
So we'll be talking about all three of these in much greater detail in the coming modules.
But just to summarize what we learned here,
we talked about what is the secret. We even talked about the difficulties associated with managing secrets.
We did a review of symmetric encryption versus asymmetric encryption and how encryption keys themselves play such an important role in that paradigm.
And then we touched on the three main pillars a vault.