Skip to content

HashiCorp Vault Unseal Key

Service Name: HashiCorp Vault

Service Description: HashiCorp Vault is a secrets management tool that provides secure storage for sensitive data, encryption as a service, and privileged access management. It allows organizations to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.

Service Address: https://www.vaultproject.io/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured through Vault's access control policies and network segmentation.

Secret Access Scope: Vault unseal keys are used to decrypt the master key that encrypts Vault's data. When Vault is initialized, it generates a master key and splits it into key shares (unseal keys). A certain threshold of these keys must be provided to unseal the Vault and make it operational after startup.

Secret Revokement URL: https://developer.hashicorp.com/vault/docs/concepts/seal#seal-migration

Secret Example: 0b7e1fb79b9cb3c47a8660f8f84a0407f6863c54e27149a90474f7c1b09c48a901

Suspicious Activity Investigation Instructions:

  • Review Vault audit logs for unauthorized unseal attempts
  • Check Vault server logs for unusual seal/unseal operations
  • Monitor for unexpected Vault downtime or restarts
  • Verify the identity of anyone who has recently used an unseal key
  • Review access logs to the physical or virtual environment where unseal keys are stored

  • Check for any policy changes that might have occurred during suspicious

timeframes

Mitigation Instructions:

  • Rotate the unseal keys by re-initializing Vault with the vault operator rekey command
  • Increase the number of key shares and threshold required to unseal
  • Implement Vault auto-unseal using a trusted external service (AWS KMS, GCP KMS, etc.)
  • Review and restrict access to individuals who possess unseal key shares
  • Store unseal keys in separate, secure locations with proper access controls
  • Consider implementing Shamir's Secret Sharing with a higher threshold
  • Update Vault to the latest version if vulnerabilities are discovered
  • Review and tighten Vault's access control policies