Create a working Vault server configuration

Question 1

How do you enable command line auto-completion?

Answer 1

vault -autocomplete-install

https://www.vaultproject.io/docs/commands#autocompletion

Question 2

Where should the Vault process be allowed to write?

Answer 2

The unprivileged Vault service account should not have access to overwrite its executable binary or any Vault configuration files.

Only directories and files for local Vault storage (eg, for the integrated storage backend) or audit logs should be writable by the Vault user.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 3

Connections to Vault must be encrypted

Where should there be TLS in a Vault infrastructure?

Answer 3

Vault should always be used with TLS in production.

If intermediate load balancers or reverse proxies are used to front Vault, TLS should be used for all network connections between every component of the system (including Storage Backends) to ensure all traffic is encrypted in transit to and from Vault.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 4

How can you force Vault to use HTTP Strict Transport Security (HSTS)?

Answer 4

HTTP Strict Transport Security (HSTS) header should be set using Vault’s custom response headers feature in the tcp listener.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 5

How can you prevent Vault from swapping sensitive memory to disk?

Answer 5

Risk of exposure should be minimized by disabling swap to prevent the operating system from paging sensitive data to disk.

This is especially important when using the integrated storage backend.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 6

How do you prevent a user or administrator that can force a core dump and has access to the resulting file to potentially access Vault encryption keys?

Answer 6

Preventing core dumps is a platform-specific process; on Linux setting the resource limit RLIMIT_CORE to 0 disables core dumps. In the systemd service unit file, setting LimitCORE=0 will enforce this setting for the Vault service.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 7

Name the various ways to run the Vault process, from most to least secure.

Answer 7

Running on bare metal should be preferred to a VM, and running in a VM should be preferred to running in a container.

In any case, single tenancy is prefered.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 8

How should incoming and outgoing TCP/UDP traffic to/from Vault be handled?

Answer 8

Use a local firewall or network security features of your cloud provider to restrict incoming and outgoing traffic to Vault and essential system services like NTP. This includes restricting incoming traffic to permitted subnets and outgoing traffic to services Vault needs to connect to, such as databases.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 9

What should you do with the initial root token?

Answer 9

The initial root token should be used to setup the system initially, particularly setting up auth methods so that users may authenticate.

Once setup, the root token should be revoked to eliminate the risk of exposure. Root tokens can be generated when needed, and should be revoked as soon as possible.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 10

What can you find in Vault’s audit log?

Answer 10

Enabling audit logging provides a history of all operations performed by Vault and a forensics trail in the case of misuse or compromise.

Audit logs securely hash sensitive data, but access should still be restricted to prevent any unintended disclosures.

Question 11

How do you prevent finding parameters of past vault commands (espescially when using a shared account)?

Answer 11

You may want the vault command itself to not appear in history at all with
export HISTIGNORE=”&:vault*”

https://learn.hashicorp.com/tutorials/vault/static-secrets#option-3-disable-all-vault-command-history

Question 12

How does Vault uses the current time?

Answer 12

Vault uses the clock for things like enforcing TTLs and setting dates in PKI certificates, and if the nodes have significant clock skew, a failover may wreak havoc.

Use NTP or whatever mechanism is appropriate for your environment to ensure that all the Vault nodes agree about what time it is.

Question 13

Vault storage is always encrypted, yet it requires special consideration. Which ones and why?

Answer 13

An attacker with arbitrary control can cause data corruption or loss by modifying or deleting keys. Access to the storage backend should be restricted to only Vault to avoid unauthorized access or operations.

Question 14

What credentials can you find in Vault’s configuration?

Answer 14

The seal stanza of the Vault configuration file configures the seal type to use for additional data protection such as using HSM or Cloud KMS solutions to encrypt and decrypt the master key.

Many cloud-based storage engines also require authentication.

Question 15

Where should you put Vault’s own credentials, in order from the most secure to the least?

Answer 15

Depending on the seal type and storage strategy, you should use the platform’s built-in authentication, environment variables or store them in the configuration file.

Question 16

Which protocol should Vault’s listener use, in production?

Answer 16

Vault’s TLS listener supports a variety of legacy algorithms for backwards compatibility.

The use of TLS 1.3 ensures that modern encryption algorithms are used to encrypt data in transit and forward secrecy.

https://learn.hashicorp.com/tutorials/vault/production-hardening#baseline-recommendations

Question 17

Vault binary packages are signed. How can an attacker introduce malicious code in a Vault ecosystem?

Answer 17

You should be mindful of misconfigured or external malicious Vault plugins.

These may harm the security posture of your Vault deployment.

Question 18

What happens if you specify the –config options multiple times on the command line and how could it introduce a security issue?

Answer 18

Configuration files are merged if -config is specified multiple times.

Vault’s configuration file merging is non-deterministic, and inconsistencies in settings between files could lead to inconsistencies in Vault settings.

Question 19

What is the most secure way to control access to Vault, even if you use the root token?

Answer 19

Users should never access the machine directly. Instead, they should access Vault through its API over the network.

Use a centralized logging and telemetry solution for debugging. Be sure to restrict access to logs as need to know.

Question 20

What is generally the prefered way to upgrade Vault?

Answer 20

When upgrading to new versions, new servers with the upgraded version of Vault are brought online. They are attached to the same shared storage backend and unsealed. Then the old servers are destroyed. This reduces the need for remote access and upgrade orchestration which may introduce security gaps.

Question 21

Name three (3) Linux security features that can be used to secure Vault

Answer 21

systemd security features,
ulimits tweaks
SELinux/AppArmor

Question 22

What is required to leverage the memory lock feature inside a Vault container?

Answer 22

To leverage the “memory lock” feature inside the Vault container you will likely need to use the overlayfs2 or another supporting driver.

Question 23

What is the command line to start a rekey operation, so that 5 key out of 7 are needed to reach quorum?

Answer 23

vault operator rekey -init -key-shares=7 -key-threshold=7

Question 24

How do you provide a Shamir shard/key to progress towards quorum?

Answer 24

You type vault operator rekey and wait for the prompt to provide your key/shard.

Question 25

How do you decrypt the new keys/shard after a rekey operation?

Answer 25

If you specified public keys, each private key holder will be able to decrypt their key on their own. If public keys were not provided, the new keys/shards are displayed in plain text when the last shard is entered.