Menu
Where should I store the Unseal Key and Root Token for HashiCorp Vault?
The Vault will be used by various members on the team.
334
Unsealing is the process by which your Vault root key (previously known as master key) is used to decrypt the data encryption key that Vault uses to encrypt all data.
By default the Vault CLI provides a built in tool for authenticating with any of the enabled authentication backends. Once authenticated, the CLI will store the generated token on disk in the ~/. vault-token file.
In best-practice usage, you wouldn't be storing a root token - once done with it, it should be revoked.
Root tokens are useful in development but should be extremely carefully guarded in production. In fact, the Vault team recommends that root tokens are only used for just enough initial setup (usually, setting up auth methods and policies necessary to allow administrators to acquire more limited tokens) or in emergencies, and are revoked immediately after they are no longer needed.
If a new root token is needed, the operator generate-root command and associated API endpoint can be used to generate one on-the-fly.
Unseal keys should be distributed amongst trusted people, with nobody having access to more than one of them.
This then requires more than one person to restart vault or to gain root access to it.
The documentation doesn't suggest any good hiding places for the individual unseal keys that I could find - I'd suggest wherever you normally store passwords, ie a password manager.
For day-to-day usage, users can log in using the user/pass or ldap auth backends.
67
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
