Hashicorp Vault for file storage?
Asked Answered
P

2

7

I'm expecting to save a lot of documents of considerable size, from 1M to potentially multiple orders of magnitude larger. I know Hashicorp's Vault is great for secret keys and smaller values. I would love to get the "glass break" functionality and the key rolling functionality from it.

Has anyone done any benchmarking of Vault with large secrets? I'm presuming I'm not going to have trouble with the number of secrets in the vault?

Polecat answered 16/1, 2016 at 19:14 Comment(1)
If you want to avoid the heavy IO to vault and store the data externally, you could also consider keeping some encryption key in Hashicorp Vault, but use Ansible Vault to encrypt the data on disk (with the key stored in Hashicorp Vault).Ringside
C
5

The performance would depend entirely on the storage backend you use. If your doing something like a repo for secrets with fine grain access control, then you probably wouldn't need HA so filestore backend would be fine, and you could use SSDs to have fine performance.

I would advise against using the Transit backend to encrypt and store files for several reasons:

1.) Migration from 1 storage backend to another (like file storage to an HA backend) is relatively easy/straight forward if you're only using KV, when you use the advanced features of vault, it's not always easy/possible. (BTW migration between backends is a relatively new feature I noticed it in Vault 1.0++)
2.) You can list all secrets stored in KV store and you have versioning. You'd have to code this yourself if you went with Transit.
3.) Transit wasn't designed for that, wrong tool for the job, KV is what you're looking for.


If you want to store large files inside of Vault:
Don't use Consul by itself (or you'll be limited to 0.5mb max size)
It should be possible to start with:

storage "file" { path = "C:/Vault" }

and then transition to S3/Azure Blob + Consul, when you need HA

ha_backend "consul" {...}
storage "s3" {...} 

(I'd recommend you do a PoC to confirm you can transition.)

Note: In practice I've found I'm never storing a secret larger than 0.375mb, so Consul by itself is fine. It's a simpler setup and you can do point in time live snapshots. Plus if you find you need the space in the future, you can just migrate your storage backend.


Also you should still avoid large file sizes for the following reason of inconvenience/overhead:
Vault is a Key Value store that uses the following syntax:

vault kv put secret/KEY key=value
vault kv put secret/dev config.json=base64'dstring

If you want to store a binary file or multiline string you need to base64 it to convert it to a 1 line string, and store that as the value. Well if you end up with a 300mb file, you'd have to make a 400mb base64 encoded string. (Since base64 encoding adds a consistent 33% overhead)

If you really wanted to do this in a scalable way:
I think the ideal way to do this would be to store symmetric encryption/decryption keys + Encrypted File Location in Vault. Use Consul as your Vault Backend. Use S3 as your File Storage.

If I was going to do it I'd host Consul + Minio/Rook/Ceph(Self Hosted S3) on Kubernetes + 2-3 vault servers either on Kubernetes as well, or for top security on Intel SGX enabled boxes with Vault SCONE Secure Enclaves (encrypted ram) to protect against Spectre/Meltdown/0 day root access memory dump exploits. And store the files symmetrically encrypted on your DIY S3, and the decryption keys + file location references in Vault, and then some middle ware to abstract that out. (I only suggest self hosted S3 so you can be multi cloud + 100% Infrastructure as Code, but yeah mix and match parts of the design to your requirements.)

Colmar answered 21/1, 2019 at 6:8 Comment(4)
Also you can just copy and paste multiline strings as values in the Web UI now I noticed.Colmar
More Details, like code on how to store and retrieve a binary file from vault: #53710632Colmar
github.com/adobe/cryptr Here's a really nice GUI for uploading files. It's a little odd though, because in the Hashi Web GUI you'd say KVv2/path In the adobe cryptr, you'd say KVv2/data/path. Note you also write policies based on KVv2/data/pathColmar
Vault HTTP API imposes a maximum request size of 32MB to prevent a denial of service attack. This can be tuned per listener block in the Vault server configuration.Colmar
C
2

Instead of using Vault to actually store the files, you could use the Transit backend to encrypt your files and store them externally.

This would allow you to store your files wherever you normally store them, while gaining access to Vault's secret management features.

Chios answered 26/9, 2016 at 12:4 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.