vault-operator icon indicating copy to clipboard operation
vault-operator copied to clipboard

Published 20 hours ago verified publisher icon coreos

Auto unseal vault

Open raoofm opened this issue 7 years ago • 5 comments
trafficstars

Vault can be auto unsealed by using the keys from aws kms. See #307. Credentials can be passed via kube2iam or via accessKey/SecretKey pair.

raoofm avatar Apr 20 '18 19:04 raoofm

I would like to have someone build a design doc on how we can do this based on kubelet identity and Kubernetes secrets instead of using kube2iam. This will ensure good security and generic application across cloud providers.

philips avatar Apr 23 '18 06:04 philips

I'll make myself familiar with kubelet identity and will start on the doc. Is there a sample?

raoofm avatar Apr 23 '18 18:04 raoofm

A number of projects already seek to do this, it looks like the 2nd and 3rd on this list are the most promising: https://github.com/tallpauley/vault-unsealer/blob/master/docs/comparison.md

jacohend avatar Apr 23 '18 22:04 jacohend

This functionality is provided in Vault Enterprise, supporting a number of external cryptography sources for automatic unsealing.

ncorrare avatar Apr 27 '18 05:04 ncorrare

Hashicorp released auto-unseal to the OSS version: https://www.vaultproject.io/docs/configuration/seal/index.html

nicgrayson avatar Dec 18 '18 20:12 nicgrayson