Use cases of
HashiCorp Vault

Mateusz Wilczyński CTO

Hashicorp Vault is a popular tool for securely storing and accessing sensitive information, such as passwords, API keys, and certificates. It does this through “secrets engines,” which are plugins that extend Vault’s functionality and enables it to store and manage various types of secrets. 

Secrets engines offer different functionalities, from simply storing and reading data, generating dynamic credentials on demand, or even providing services like encryption, TOTP generation, certificates, and much more. 

In this article, we’ll take a look at some of the most valuable use cases of Hashicorp Vault and the secret engines that are used to deliver that functionality. 

If you’re new to Hashicorp Vault, check out our previous article via https://exlabs.com/insights/hashicorp-vault_is-it-worth-it 

Storing Static Secrets

This functionality is delivered by the KV secrets engine, which is Vault’s most essential and widely used secrets engine. It allows you to store and manage simple key-value pairs of secrets, such as passwords and API keys. The KV secrets engine comes in two versions: KV v1 and KV v2.

KV V1 is the original version of the secrets engine and has a simple key-value storage model. It offers reduced storage size for each key and slightly better performance than the V2 because of not store additional metadata. 

KV v2, on the other hand, offers more advanced features, such as data versioning. Versioning supports soft delete, undelete, or entirely remove data functions, while each can have a different permissions set. Additionally, you can use the Check-and-Set operations to avoid overwriting data unintentionally.

Shortlived Cloud Identity-Based Access

Let’s take a look at this challenge from the perspective of AWS Cloud and the corresponding AWS Secrets Engine. This engine allows you securely store and manage AWS access credentials. It also dynamically generates AWS credentials based on IAM policies. Such credentials are time-based, and Vault automatically revokes them on the AWS side when the Vault lease expires. 

The engine supports generatinon of the following credential types: IAM User, STS AssumeRole, and STS Federation Tokens.

Similar Secrets Engine exists for Azure, Google Cloud, or even AliCloud. Using them is beneficial in Multi-cloud and hybrid-cloud applications. In that scenario, users authenticate to Vault, and Vault generates particular cloud credentials with proper access without creating and managing each user’s account in each cloud separately.

Generating dynamic secrets for databases

Hashicorp Vault offers a dedicated secret engine for each major database: PostgreSQL, MySQL, MSSQL, Elasticsearch, MongoDB, and Snowflake. 

The database secrets engine generates dynamic credentials for your applications. For example, it can help grant application access to specific databases or tables and revoke access when it is no longer needed. The database secrets engine also supports rotating credentials on a scheduled basis for improved security.

The database engine generates a unique username on the database side for each service accessing it. It gives you much better auditing possibilities. 

Enhanced SSH access control

This functionality is delivered by the SSH secrets engine, which offers secure authentication and authorisation to access hosts via the SSH protocol.  

The engine supports the following modes:

  • Signed SSH Certificates – the most straightforward, powerful, and platform-agnostic solution. Works based on the Vault’s CA (Certificate Authority) capabilities. 
  • One-time SSH Passwords – Vault generates a One-Time Password each time a client wants to SSH into a remote host. 
  • Dynamic SSH Keys (deprecated) – vault generates a new SSH key pair for each client and saves the newly-generated public key on the host. This method is deprecated and not recommended because of security drawbacks. 

Owning Public Key Infrastructure

The PKI secrets engine enables you to manage your own public key infrastructure (PKI) within Vault. The engine generates dynamic X.509 certificates.

It can be useful for generating SSL/TLS certificates for your applications and servers. Additional features like auditing, telemetry, and fine-grained role-based access are also available. 

Conclusion

Hashicorp Vault offers a wide range of use-cases useful for various types of organisations and circumstances. Dedicated secret engines deliver them. The KV, Cloud, Databases, SSH, and PKI secrets engines are Vault’s most valuable and widely used ones. Using them, you can securely store and manage sensitive information and grant your applications the necessary access to resources.