HashiCorp Vault Unseal Key
Service Name: HashiCorp Vault
Service Description: HashiCorp Vault is a secrets management tool that provides secure storage for sensitive data, encryption as a service, and privileged access management. It allows organizations to securely store and tightly control access to tokens, passwords, certificates, API keys, and other secrets.
Service Address: https://www.vaultproject.io/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured through Vault's access control policies and network segmentation.
Secret Access Scope: Vault unseal keys are used to decrypt the master key that encrypts Vault's data. When Vault is initialized, it generates a master key and splits it into key shares (unseal keys). A certain threshold of these keys must be provided to unseal the Vault and make it operational after startup.
Secret Revokement URL: https://developer.hashicorp.com/vault/docs/concepts/seal#seal-migration
Secret Example: 0b7e1fb79b9cb3c47a8660f8f84a0407f6863c54e27149a90474f7c1b09c48a901
Suspicious Activity Investigation Instructions:
- Review Vault audit logs for unauthorized unseal attempts
- Check Vault server logs for unusual seal/unseal operations
- Monitor for unexpected Vault downtime or restarts
- Verify the identity of anyone who has recently used an unseal key
-
Review access logs to the physical or virtual environment where unseal keys are stored
-
Check for any policy changes that might have occurred during suspicious
timeframes
Mitigation Instructions:
- Rotate the unseal keys by re-initializing Vault with the vault operator rekey command
- Increase the number of key shares and threshold required to unseal
- Implement Vault auto-unseal using a trusted external service (AWS KMS, GCP KMS, etc.)
- Review and restrict access to individuals who possess unseal key shares
- Store unseal keys in separate, secure locations with proper access controls
- Consider implementing Shamir's Secret Sharing with a higher threshold
- Update Vault to the latest version if vulnerabilities are discovered
- Review and tighten Vault's access control policies