Introduction

Overview of Hashicorp Vault

Hashicorp Vault is a popular tool for secrets management, encryption as a service and privileged access management.

Organizations use Vault to ensure that secrets are not disseminated in multiple places (configuration files, source control management systems, scripts) and are only accessed by authorized parties [1].

To secure the secrets, Vault encrypts the data using a master key, which is not stored on disk, but can be recreated in memory trough a process called Unsealing. Instead of storing the master key, or distributing it to administrators, Vault splits the master key into multiple key-shares that can be used to recreate the master key. This process, documented in the Vault Seal/Unseal documentation, ensures that the master key is not stored at a single place (filesystem, database, etc.), and makes it more difficult to compromise the master key.

However, since the master key is not readily available upon Vault startup (or upon host reboot), automating the deployment of Vault securely becomes difficult since coordinated manual operations are required on every node of a Vault cluster.

To enable such automation, Vault has added features to enable integration with various HSM (Hardware Security Modules), or Cloud KMS (Key Management Systems), which can be used to store the Vault master key. Unfortunately, there are many deployment scenarios where HSM or KMS solutions are not available, not allowed (due to reluctance to store the master key with the cloud provider), or too costly.

Moreover, such solutions often end up not secure, to the extent that the external storage of the master key adds little value. The problem is that to fetch the master key from the HSM (or Cloud KMS) Vault needs to authenticate itself to the HSM, and uses credentials that are completely exposed to anyone with access to the host running Vault. This is often referred to as the Secret-zero problem.

One example is using a PIN code to authenticate to an HSM: the PIN code is stored in the clear in a configuration file (vault.hcl), and anyone with access to this configuration file would be able to fetch the master key from the HSM pretending to be the Vault server.

Anjuna Unseal tool provides a convenient and secure solution for “unsealing” Vault by leveraging a novel Secure Enclave technology within commodity Intel processors.

Secure Enclaves

A best practice for securing sensitive applications and data is encryption. While encrypting data at-rest and in-transit are well-recognized practices with existing solutions, runtime application security has been an unsolved problem. Plaintext code and data are exposed in memory at runtime, and that information can include sensitive data and keys for data encryption at-rest and in-transit. Data that is encrypted at-rest or in-transit needs to be decrypted in order to operate on it, and at that point becomes vulnerable in the absence of runtime protection.

Anjuna provides runtime protection for sensitive applications and their data regardless of the state of the infrastructure security, and without modifying the source code or recompiling the application, thus seamlessly integrating into existing DevOps processes.

It uses the following constructs provided by secure enclaves in modern processors:

  • Memory Isolation: Completely isolates the memory of an application from anything else on that machine including the operating system. Data never leaves the secure enclave unencrypted. No one can access the memory, not even with root or physical access to the system.
  • Remote Attestation: Ensures a secure trusted channel to back-end server application, provides integrity by validating that expected code is running in the expected environment.

Conventional approaches to securing applications have relied primarily on software to provide protection. However good the software implementation may be, an attacker that is able to gain privileged access would be able to circumvent software defenses. A recent and disruptive technology introduced in many new processor models provides a better security and privacy model. It essentially enables to run an application in an environment that is isolated from the host, while running on the same machine. In the case of Intel®, the key enabler is the hardware-level memory isolation introduced by Intel® Software Guard Extensions (SGX), that creates an encrypted partition of the memory.

Intel® Software Guard Extensions (Intel® SGX) brings a hardware root-of-trust and program isolation to commodity processors, enabling handling of sensitive data in a trusted execution environment called secure enclave.

Security Model

Secure enclaves enable running an application so that its contents and the data it handles are completely inaccessible to any other entities. Such “blocked” entities include privileged users on the guest OS, the hypervisor or the host OS itself.

Anjuna Vault Unseal

Running the Vault Unsealing process in an Intel® SGX enclave provides the following guarantees:

  • The Unseal Tokens needed to unseal Vault are securely stored in an encrypted configuration file by leveraging the Intel® SGX Data Sealing capabilities.
  • Unseal tokens are decrypted inside an SGX Enclave, which guarantees protection against any memory scraping attempts.
  • The Anjuna Unseal tool uses TLS to communicate with Vault, ensuring authenticity, confidentiality and integrity of all messages exchanged with Vault. TLS termination inside the secure enclave ensures end-to-end security for the unseal tokens.

After an initial setup to create and encrypt the Vault Unseal configuration file, automating the unsealing process securely is easy:

  • The unseal tokens can be stored encrypted on the file system to perform the Vault unseal operation.
  • Only Anjuna Unseal tool running in an enclave can decrypt the unseal tokens.
  • The unsealing operation itself is completely secure, since it is running in a secure enclave.
  • Unsealing is performed only when the Vault server is successfully authenticated. Vault server certificate is pinned, and cannot be tampered with due to an integrity protection provided by the secure enclave.
  • The encrypted Vault Unseal configuration file can be left on the host without fear that it could be compromised.
[1]See Hashicorp Vault Documentation for more information on Vault.