History & Origin of HashiCorp Vault

Mitchell Hashimoto and Armon Dadgar founded HashiCorp in 2012 with the goal of solving some of the hardest, most important problems in infrastructure management, with the goal of helping organizations create and deliver powerful applications faster and more efficiently.

Mitchell Hashimoto and Armon Dadgar, HashiCorp’s co-founders, met at the University of Washington in 2008, where they worked on a research project together — an effort to make the groundbreaking public cloud technologies then being developed by Amazon and Microsoft available to scientists.

After graduating, they both moved to San Francisco. There — recognizing early on the impact this technology was poised to have on the world — Mitchell founded HashiCorp, with Armon joining him as a co-founder the next year.

As cloud adoption expanded, they recognized that organizations would eventually need to adopt multiple clouds, and would consequently require a consistent and reliable set of automation tools to seamlessly deploy and connect their applications to any combination of multiple cloud and on-premises environments.

What is HashiCorp Vault?

HashiCorp Vault is a secrets management tool specifically designed to control access to sensitive credentials in a low-trust environment. It can be used to store sensitive values and at the same time dynamically generate access for specific services/applications on lease.

HashiCorp Vault is designed to help organizations manage access to secrets and transmit them safely within an organization. Secrets are defined as any form of sensitive credentials that need to be tightly controlled and monitored and can be used to unlock sensitive information. Secrets could be in the form of passwords, API keys, SSH keys, RSA tokens, or OTP.

HashiCorp Vault makes it very easy to control and manage access by providing you with a unilateral interface to manage every secret in your infrastructure. Not only that, you can also create detailed audit logs and keep track of who accessed what.

1. How HashiCorp Vault works aka HashiCorp Vault architecture?

When the Vault is initialized it generates an encryption key which is used to protect all the data. That key is protected by a master key. By default, Vault uses a technique known as Shamir’s secret sharing algorithm to split the master key into 5 shares, any 3 of which are required to reconstruct the master key.

Architecture

Vault is a complex system that has many different pieces. To help both users and developers of Vault build a mental model of how it works, this page documents the system architecture.

High-Level Overview

A very high level overview of Vault looks like this:

Use case of HashiCorp Vault

In addition to being able to store secrets, Vault can be used to encrypt/decrypt data that is stored elsewhere. The primary use of this is to allow applications to encrypt their data while still storing it in the primary data store.

Use Cases

Before understanding use cases, it’s useful to know what Vault is. This page lists some concrete use cases for Vault, but the possible use cases are much broader than what we cover.

General Secret Storage

At a bare minimum, Vault can be used for the storage of any secrets. For example, Vault would be a fantastic way to store sensitive environment variables, database credentials, API keys, etc.

Compare this with the current way to store these which might be plaintext in files, configuration management, a database, etc. It would be much safer to query these using vault read or the API. This protects the plaintext version of these secrets as well as records access in the Vault audit log.

Employee Credential Storage

While this overlaps with “General Secret Storage”, Vault is a good mechanism for storing credentials that employees share to access web services. The audit log mechanism lets you know what secrets an employee accessed and when an employee leaves, it is easier to roll keys and understand which keys have and haven’t been rolled.

API Key Generation for Scripts

The “dynamic secrets” feature of Vault is ideal for scripts: an AWS access key can be generated for the duration of a script, then revoked. The keypair will not exist before or after the script runs, and the creation of the keys are completely logged.

This is an improvement over using something like Amazon IAM but still effectively hardcoding limited-access access tokens in various places.

Data Encryption

In addition to being able to store secrets, Vault can be used to encrypt/decrypt data that is stored elsewhere. The primary use of this is to allow applications to encrypt their data while still storing it in the primary data store.

The benefit of this is that developers do not need to worry about how to properly encrypt data. The responsibility of encryption is on Vault and the security team managing it, and developers just encrypt/decrypt data as needed.

Feature and Advantage of using HashiCorp Vault

• Author
• Recent Posts

Follow me

Rajesh Kumar

Mentor for DevOps - DevSecOps - SRE - Cloud - Container & Micorservices at Software AG

Join my following certification courses...
- DevOps Certified Professionals (DCP)
- Site Reliability Engineering Certified Professionals (SRECP)
- Master in DevOps Engineering (MDE)
- DevSecOps Certified Professionals (DSOCP)
URL - https://www.devopsschool.com/certification/

My Linkedin - https://www.linkedin.com/in/rajeshkumarin

Follow me

Latest posts by Rajesh Kumar (see all)

• Apache Lucene Query Example - April 8, 2024
• Google Cloud: Step by Step Tutorials for setting up Multi-cluster Ingress (MCI) - April 7, 2024
• What is Multi-cluster Ingress (MCI) - April 7, 2024