open-vault/website/source/docs/concepts/response-wrapping.html.md
2016-05-19 13:33:51 -04:00

2.7 KiB

layout page_title sidebar_current description
docs Response Wrapping docs-concepts-response-wrapping Wrapping responses in cubbyholes for secure distribution.

Response Wrapping

In many Vault deployments, clients can access Vault directly and consume returned secrets. In other situations, it may make sense to or be desired to separate privileges such that one trusted entity is responsible for interacting with most of the Vault API and passing secrets to the end consumer.

However, the more relays a secret travels through, the more possibilities for accidental disclosure, especially if the secret is being transmitted in plaintext.

In Vault 0.3 the cubbyhole backend was introduced, providing storage scoped to a single token. The Cubbyhole Principles blog post described how this, along with the limited-use and time-to-live features of Vault tokens, could be used to securely authenticate a Vault client in such a way that the final Vault token was only readable by the end consumer, and malfeasance could be detected. The major downside to this operation was the need to write programs to perform this wrapping (and by extension, those programs need to be trusted).

Starting in 0.6, this concept is taken to its logical conclusion: almost every response that Vault generates can be automatically wrapped inside a single-use, limited-time-to-live token's cubbyhole. Details can be found in the cubbyhole backend documentation.

This capability should be carefully considered when planning your security architecture. For instance, many Vault deployments use the pki backend to generate TLS certificates and private keys for services. If you do not wish these services to have access to the generation API, a trusted third party could generate the certificates and private keys and pass the resulting wrapping tokens directly to the services in need. A simple API call will return the original PKI information; if the call fails, a security alert can be raised.

To look at the above example another way, response wrapping also frees end services from needing to generate a CSR and pass it to Vault through the trusted third party simply to ensure that the private key corresponding to the eventual certificate remains private. The end service can be assured that only it will see the generated private key and that any malfeasance is detected. This can significantly reduce the complexity of any relaying third party.