Vault serves as an identity-based system for managing secrets and encryption. A secret encompasses any sensitive information, like API keys, passwords, and certificates, that requires strict access control. Vault ensures secure storage, management, restricted access, and auditability of such sensitive data through its UI, CLI, or HTTP API.

In modern systems, a diverse range of secrets, including database credentials, API keys, and communication credentials, are essential. Tracking who accesses which secrets, especially across different platforms, can be challenging. Vault addresses this by facilitating key rotation, secure storage, and comprehensive audit logs.

Vault authenticates and authorizes clients (users, machines, apps) before granting them access to stored sensitive data or secrets.

How Vault Operates

Vault's primary operation revolves around tokens, each linked to a client's policy. Policies are path-based and govern the actions and accessibility for each client. Tokens can be manually created and assigned to clients, or clients can log in to obtain one. The following outlines Vault's core workflow:

1. Authenticate: Clients provide information for Vault to verify their identity. Once authenticated, Vault generates a token associated with a policy.

2. Validation: Vault validates the client against trusted third-party sources like Github, LDAP, AppRole, and others.

3. Authorize: Clients are matched against the Vault security policy, which defines their access to API endpoints with their Vault token.

4. Access: Vault grants access to secrets, keys, and encryption capabilities by issuing a token based on policies associated with the client’s identity.

Why Vault?

Many enterprises grapple with scattered credentials stored in various places, including plain text, source code, and config files. This widespread distribution makes it challenging to track and control access. It also increases the risk of malicious attacks. Vault centralizes credentials, reducing exposure. It also ensures proper authentication, explicit authorization, and maintains an audit trail.

Key Features of Vault

1. Secure Secret Storage: Vault encrypts arbitrary key/value secrets before storing them in locations like disk, Consul, and more.

2. Dynamic Secrets: Vault generates on-demand secrets for systems like AWS or SQL databases, automatically revoking them after a set time.

3. Data Encryption: Vault can encrypt and decrypt data without storing it, streamlining encryption processes.

4. Leasing and Renewal: All secrets have associated leases, automatically revoked at the end of the term.

5. Revocation: Vault supports secret revocation, aiding in key rolling and security in case of intrusion.

Enclaive's Vault

Enclaive's vault enhances the security of key storage by utilizing an enclaved version of Vault. It integrates with hardware security modules (HSMs) and identity management systems (IMSs), offering enterprise-ready access control and provisioning of an attested public key infrastructure (PKI).

By using an attestation/provisioning plugin, Enclaive avoids duplicating vault functionality within their attestation software. This approach simplifies the adoption of enclaved applications, supports a mixed-use environment, and enhances security by relying on well-established open-source code.