Vault Associate Certification Internals
1 like442 views
Vault Associate Certification Part 1 Internals Notes. This will be series of documents which will go through all components to achieve the certification.
More Related Content
Similar to Vault Associate Certification Internals (20)
Recently uploaded (20)
![[QUICK TALK] "Coaching 101: How to Identify and Develop Your Leadership Quali...](https://cdn.slidesharecdn.com/ss_thumbnails/softskillsfwdays25ilonalesko-250317075721-cb56ed6c-thumbnail.jpg?width=560&fit=bounds)
Vault Associate Certification Internals
- 4. OVERVIEW THESE NOTES FOLLOW HASHICORP SPECIFIC STRUCTURE FOUND HERE s HTTP www.VAVLTPROJECT.IO Docs INTERNALS SECURITY OVERVIEW ARCHITECTURE PROPERTIES FUNCTIONS WHAT IS VAULT eggs EffFE sAEEffffs TIGHTSECURITY CONTROLS AUDIT LOGS L v s API keys PASSWORDS CERTS
- 5. FEATURES SECURE 1 SECRET SECRET ENCRYPTION STORAGE STORAGE PROVIDETEMPACCESS to APP 2 DYNAMIC 4 SECRETS r 3 I I NEED v ACCESS GENERATE ENCRYPT ENCRYPT AND DATA ENCRYPTION i DATA DECRYPT WITHOUT DECRYPT STORINGINVAULT LEASING AND a REVOCATION SECRETRENEWAL ALLSECRETSHAVE Ability toRevokeLEASEASSOCIATED entiretree of secrets
- 6. ARCHITECTURE HTTPS IAPI TOKENSTORE POLICYSTORE AUDIT CORE ROLLBACKMGR EXPIRATIONMGR BROKER d AUDITw PATH ROUTING DEVICE A SYSTEM SECRET AUTH AUDIT BACKEND ENGINE METHOD DEVICE STORAGEBACKEND 0 HTTPS API EXTERNALFACING t BARRIER Vault Startsin Sealed state 1 MustUnseal Mustbe How Unsealed V Unsealkeys Alldata to Howsthrough SHAMIR'SSECRETSHARING Algorithm cryptographic barrier seal
- 7. SHAMIRS SECRET SHARING ALGORITHM ENCRYPTION MASTER KEY KEY SHARES s I 2 ABLETO DECRYPT DATA L ENTERUIVSEALED STORAGE STATE BACKEND UNSEALED Loads all audit devices Auth methods VAULT Secrets Engines ONCEUNSEALED REQUESTSCANBE Managethe flow of requestsPROCESSEDBYTHE CORE CORE Enforce ACLs Audit logging
- 8. I 1 Authentication O CORE MA f D 2 RETURN LIST OF POLICIES Named ACLS VAULT OPERATES EXCLUSIVELY IN WHITELIST MODE Access must be explicitly granted 2 O o or my TOKEN STORE HERE AREMY 1 CLIENTTOKENGENERATED f POLICIES j ATTACH LEASE 0 I f REQUEST SECRET CORE 2 SECRET ENGINE IIFiiiIIII N r CLIENT TOKEN I'MTelling 4 i.e Returning Secret EXPIRATION MANAGER 3 Attaching lease ID
- 9. HIGH AVAILABILITY DESIGN MINIMISE DOWNTIME GOAL NOT TO BE140120NTALLY SCALABLE BOUND13410 NOT CPU HA MODE STATE EITHER L J IF aSEALED STANDBY 7 ACTIVE FAILS NETWORKCONNECTIVITY SEND THEN X PROCESSREQUESTS HERE v SEND TO STANDBY MUST BEUNSEALED PERFORMANCE is SIMILAR TO STANDBY BUT STANDBY CAN SERVICEREADONLY REQUESTS NODES SCALE NODES I 2 3 4 5 V SCALE IOPS HORIZONTALLY
- 10. INTEGRATED STORAGE VAULT INTEGRATED STORAGE t l t l t l v s 17A REPLICATION BACKUPAND RESTORE WORKFLOWS RAFT CONSENSUS PROTOCOL BASED ONPAXOS BUTSIMPLER CANSOMEONE EeiiEIIIIII VOTEFORME tfIfD Ok PEERNODE NODE START CANDIDATE STATE I WILLPROMOTE MYSELF te Np LEADERGREAT I CANACCEPT FOLLOWER IDEA STATE LOG ENTRIES STATE FROM A LEADER ICANACCEPTNEW GENTRIES AND I CAN VOTE REPLICATE TO ALLTHEOTHER FOLLOWERS NO ENTRIES FOR AWHILE
- 11. RAFT CONSENSUS PROTOCOL CONTINUED LEADER CLIENT REQUEST 1 APPEND A NEW LOG ENTRY 2 REPLICATE TO STORAGE FOLLOWERS 3QUORUM COMMITTED GO KEY VALUE Collection offinite STORE Stateswithtrasitions FINITE betweenthemAsnew STATE logsare appliedFSMis MACHINE allowedtotransitionbetween BOLTDB StatesApplicationoflogs Mustresultinthesamestate Deterministic This is the FSM AllowsVault whichmaintains snapshots to be cluster state very lightweight RECOMMENDED I 2 3 4 5 3 or 5 NODES DUE TOQUORUM
- 12. CONFIDENTIALITY SECURITY MODEL INTEGRITY AVAILABILITY ACCOUNTABILITY AUTHENTICATION EAVESDROPPING CONFIDENTIALITY OF STORED SECRETS 9 TAMPERING WITHDATA HREAT MODEL ACCESSTO DATA CONTROLS WITHOUT ACCOUNTABILITY ACCESSTODATA v WITHOUT AUTH AVAILABILITY OFDATA IN THE FACE OF FAILURE VAULTVALIDATES CLIENTTOKENAND a 2MAN RULEFOR NOTEXPIREDREVOKED UNSEALUSING INTERNAL SHAMIRSECRETSHARING DEFAULT a THREAT MUST BE ROOT FOR DENY SPECIFICTASKS EXTERNAL 256 BIT AES IN TL5t Gcm WITH 96 BIT TOKEN THREAT noncesFORALLDATA LEAVINGVAULT J CLIENT UNTRUSTED BY STORAGE DESIGN BACKEND ENCRYPTED
- 13. TELEMETRY TELEMETRY VAULT SERVERCOLLECTS VARIOUS RUNTIMEMETRICS I VIEW RAW DATA PERFORMANCE OF DIFFERENT 7 WIN BREAK LIBRARIESANDSUBSYSTEMS SENDSIGNALTO VAULT PROCESS LINUX 05121 v AGGREGATED AT RETAINED FOR 10SECONDINTERVALS 1 MINUTE AUTH METHODS r MERKLETREE AND REPLICATION WRITEAHEAD LOG POLICY AND TOKEN METRICS AUDIT INTEGRATED SECRET ENGINE RAFT in STORAGE CORE LEADERSHIPCHANGES RUNTIME I INTEGRATED STORAGE RAFT BACKEND STORAGE
- 14. TOKEN AUTHENTICATION TOKEN CORECLIENTAUTH AUTH 7 BUILT IN TOKEN ID Primary ID Randomly Generated Display Name Properties Meta data for auditlogging Immutable Number of Uses Optional Once Created ParentID Optional Parent created token Policies associated list of ACL policies SourcePath Path generated TOKENCREATED auth token create I Parent Toker TOKEN TREES Child tokens from subset of parent policies Tokenrevoked entire subtree revoked
- 15. KEY ROTATION START VAULT SEALED STATE UNSEAL 5 KEYS SHAMIR'SSECRET KEY ROTATION CHANGE UNSEAL KEYS MASTERKEY BACKENDENCRYPTION KEY OPERATION ROTATE CHANGE ENCRYPTION KEY 7 v u CANBEDONE NEW KEYGENERATEDAND REILEY c ONLINE ADDED TO KEYRING MEETTHRESHOLD GENERATE s OFCURRENTUNSEAL MASTERKEY KEYS
- 16. REPLICATION VAULT ENTERPRISE FOCUS ON HAFOR a REPLICATION PRIMARY SECONDARYG N GLOBALDEPLOYMENTS ASYNCHRONOUS REPLICATION SCALETHROUGHPUT USE CASES MULTI DCDEPLOYMENTS SINGLEVAULTCLUSTER IMPOSESHIGHLATENCY ENCRYPTIONASSERVICE v USERSMAYGENERATE Backup sites HIGHVOLUMEOFTRAFFIC BCPFORLOSSOFDC SIMPLE To DESIGN GOALS AVAILABILITY OPERATE TOLERATEREDUCED CONSISTENCY NEARREALTIME CONFLICT TRANSPARENTTO FREE CLIENTS 1 WRITECONFLICTS DO NOTTAKEPLACE
- 17. REPLICATION ARCHITECTURE BASED ONDESIGN GOALS TEBACKEND CONSUL y STORAC THATSUPPORTSTRANSACTIONAL UPDATES MULTIPLE KEYHALVEUPDATES ATOMICALLY WRITESAREVISIBLE REPLICATION I 4 CLUSTER MAINTAIN A LOGSHIPPING WRITE AHEAD LOG WAL L S OFALLUPDATES REPLICATE PRIMARY SECONDARY CHANGES f t AUTHORITATIVE READSECRETS PERFORM 1 SENDDATATHROUGH TRANSIT LOG WRITETOSTORAGE FORWARDWRITES TO PRIMARY SHIPPING 1 I 1 IF SECONDARY15 MODIFYPOLICY MODIFYSECRETS NEWORTOOFAR BEHINDprimary 1NOTENOUGHWALS BROKENCONNECTION SOURCE 1 PRIMARY X SECONDARY op VAULTMAINTAINS TRUTH MERKLEINDEX OFENCRYPTED WRITESCONTINUE FEETYED KEYS r STAYLOCAL NOREPLICATION TOKENSORLEASES PRIMARY COMPARETO SECONDARY VENTMUST WHICHKEYS UT AUTHIFSWITCH OFSYNC OSTERS PERFORMANCE I INDEXUPDATED IN COULD BEPOWER MEMORY Loss ? CONSISTENCY OF INDEX6000TOF INDEX UNDER T SYNC FAIL CONDITION ARIES ALGORITHM
- 18. PLUGIN SYSTEM COMMUNICATES OVER RPC COMPLETELY SEPERATE STANDALONE APPLICATIONS ALL AUTH AND SECRET PLUGINSBACKENDS DOES NOT SHARE SAME MEMORY SPACE TREATBUILTIN ANDEXTERNAL PLUGINLIKE PLUGIN CAN NOT CRASH VAULT ENTIRELYLEGO