Hashicorp Vault on Kubernetes with Auto-Unseal

Is it really self-recovery and automation-friendly? What is the catch?

Secrets management and data protection are critical and important. However, most solutions in the market are not designed for DevSecOps, meaning they are not developing security as code. Instead, they are driven by manual configurations and snowflake changes. Besides, in some organizations, they have to hire dedicated vendor-specific consultants to maintain this Snowflake Server.

DevSecOps Manifesto

Leaning in over Always Saying “No”
Data & Security Science over Fear, Uncertainty and Doubt
Open Contribution & Collaboration over Security-Only Requirements
Consumable Security Services with APIs over Mandated Security Controls & Paperwork
Business Driven Security Scores over Rubber Stamp Security
Red & Blue Team Exploit Testing over Relying on Scans & Theoretical Vulnerabilities
24x7 Proactive Security Monitoring over Reacting after being Informed of an Incident
Shared Threat Intelligence over Keeping Info to Ourselves
Compliance Operations over Clipboards & Checklists

Hashicorp Vault OSS provides a full-featured and code-friendly solution for secrets management, encryption as a service, and privileged access management, dynamic secrets, leasing and renewal, and so on.

I have tried several impressive functionalities including AWS Auth backend, Kubernetes Auth backend, dynamic MySQL secrets, dynamic AWS access credentials, and etc. They are super easy to set up and automation friendly.

Before Hashicorp Open Sourcing Auto-unseal

As you may know, Auto-unseal was previously available only to Vault Enterprise customers. In 2018 December, Hashicorp announced Vault 1.0 and the availability of auto-unseal in Vault OSS.

Auto unseal was developed to aid in reducing the operational complexity of unsealing Vault while keeping the master key secure. This feature delegates the responsibility of securing the master key from operators to a trusted device or service.

Before we dive into how awesome auto-unseal is, let’s take a look at what we had to do manually with older versions of vault.