Restrict API and storage access during incident response
Emergency situations or unexpected behavior can arise when operating any software, with Vault being no exception.
Learn how to use critical Vault features with your processes and procedures for swiftly responding to incidents.
Challenge
Operators and responders require features and functionality which effectively support break-glass procedures used in incident response.
When incidents such as credential leakage, intrusion, or denial of service (DOS) attacks occur, timely mitigation is of the essence when supporting business operational goals.
Solution
Learn about and use these two important Vault features which are designed to aid operators in effectively responding to incidents.
Seal: In a typical operation, Vault runs in an unsealed state. However, an operator with sufficient privileges can seal the running Vault at any time. When sealed, the Vault server discards its in-memory key for unlocking data, and is therefore physically blocked from responding to all requests with the exception of status checks and unsealing.
API Lock: (new in v1.9.0) A namespace API lock feature was added to provide more granular access lockout. If an operator does not require that Vault be entirely sealed, they can choose instead to lock only the API on a per-namespace level, and prevent Vault from responding to all but status and unlocking requests.
Prerequisites
To perform all the steps in the hands on scenario, you need:
Vault Enterprise v1.9 or later binary installed in your system path.
- The Install Vault tutorial can guide you through installation.
jq is used to pretty print JSON output examples.
Policy requirements
Note
For the purpose of this tutorial, you can use the root
token to work with Vault. However, it is recommended that root tokens are used for just enough initial setup or in emergencies. As a best practice, use tokens with an appropriate set of policies based on your role in the organization. Unless you are running Vault locally in development mode (-dev
), it is recommended that you authenticate with Vault and acquire a token with an appropriate set of policies based on your role in the organization.
To perform all tasks demonstrated in this tutorial, your policy must include the following permissions:
If you are connecting to a non-development mode Vault server, your token must have a policy with the following permissions:
If you are not familiar with policies, complete the policies tutorial.
Personas
The end-to-end scenario described in this tutorial involves two personas:
operator
with privileged capabilities for sealing and unsealing Vault, along with locking and unlocking API endpoints.driver
uses the username and password auth method enabled within the drivers namespace to authenticate with Vault.
Scenario introduction
As shown at left, when Vault is sealed, all users are affected and unable to use it.
Contrast this with locking the API at the namespace level as shown on the right. Although the drivers namespace within the teams namespace is locked, users in the teams and root namespaces are unaffected by the lock.
You will use terminal sessions to operate a single Vault server with Integrated Storage (Raft), and follow a series of hands-on scenarios to learn how to seal and unseal Vault from the Vault CLI, HTTP API, or web UI.
You will then learn how to lock the Vault API on a per-namespace basis from the Vault CLI or HTTP API with a username and password auth method example.
You can also clean up the scenario environment by using the provided example commands when you are finished learning.
Establish a scenario environment
Make a temporary directory to hold the files created for this scenario, and assign its path to the environment variable LEARN_VAULT.
Create Vault server configuration
Create a minimal configuration for a single Vault server that uses Raft storage.
Start a single Vault server
Open a terminal session and start a Vault server using the configuration that you just created.
The server starts uninitialized and sealed.
Initialize, unseal & authenticate
In another terminal session, export the VAULT_ADDR environment variable to address the Vault server and export the LEARN_VAULT environment variable to define the scenario directory.
For the purpose of simplicity in this tutorial, initialize Vault with 1 key share and a key threshold of 1 and write the output to the file .vault-init
in the project directory.
Successful execution of this command should produce no output.
Export the unseal key value as the environment variable UNSEAL_KEY.
Unseal Vault with the Unseal Key 1 value from the .vault-init
file.
Successful output from unsealing Vault should resemble this example:
Export the initial root token value to the environment variable ROOT_TOKEN.
login with vault login
by passing the Initial Root Token value from the .vault-init
file.
This command should produce no output when successful. If you want to confirm that the login was successful, try a token lookup and confirm that your token policies contain root.
Note
You will use a root token in this scenario for simplicity. However, in actual production environments, root tokens should be closely guarded and used only for tightly controlled purposes. Review the documentation on root tokens for more details.
Successful output should contain the following.
You are ready for the first scenario.
Seal Vault
Vault running in an unsealed state uses the master encryption key to decrypt the encryption key kept in Vault storage that is itself used for encrypting and decrypting secrets in storage. Vault is sealed with the CLI from a terminal session in this example; the master encryption key is discarded from memory, and no further encryption or decryption from storage is possible until Vault is unsealed again.
If an incident such as intrusion or credential leakage occurs, sealing Vault in response is the heaviest tool you can use. The key used to decrypt data will be immediately discarded from memory, and Vault can no longer decrypt anything in its storage until unsealed again.
Note
A sealed Vault is effectively no longer available for normal use. You should keep this in mind particularly when using enterprise replication, as a sealed cluster will no longer be participating in replication. A sealed primary will prevent all secondaries from replicating with it, and a sealed secondary cluster will become out of sync with its primary.
An operator using a token with sufficient capabilities as described in the Policy requirements section can seal Vault with the vault
CLI, the /sys/seal HTTP API or by using, or the Web UI.
(Persona: operator)
Seal your Vault server.
You can check Vault status to confirm.
The output should show that the Sealed value is true.
You can also change to the terminal where you started the Vault server to observe the operational logging. The end of the log should resemble this example.
Note the last line which specifically states core: vault is sealed
; this is the best signal from the logs to you as an operator that Vault is now sealed.
If you attempt to login to Vault now, you'll discover an error like the one shown in this example:
With Vault sealed, an operator must unseal it to restore normal operations.
Note
The examples in this tutorial use the Shamir's Secret Sharing based seal with an unseal key, but in typical production installations, a cloud based automatic seal is used. Keep in mind that when a Vault server using auto unseal is sealed, it will automatically unseal itself if restarted. Use caution when restarting such servers.
Use the unseal key value recorded earlier to unseal Vault in preparation for the next scenario.
(Persona: operator)
Unseal Vault.
Change to the terminal where you started the Vault server to observe the operational logging. The end of the log should resemble this example.
Note the line core: vault is unsealed
.
Vault is now unsealed and ready for normal operations.
Lock API
Vault Enterprise edition 1.9.0 introduced a per-namespace level API lock feature that an operator can use to lock the API for any enterprise namespace.
When the API is locked for a particular namespace, it is also locked for that namespace's descendants.
In this example, the namespace teams was locked by an operator. The drivers namespace is a descendant of teams, and as a result it was also locked. This means that the userpass auth method enabled in the drivers namespace cannot be used.
When the driver user attempts authentication with the userpass method in the drivers namespace, an error about the locked status of the namespace is returned.
Vault blocks all API endpoints from responding to clients operating in a locked namespace or a descendant of a locked namespace with the exception of endpoints for status and unlocking the API lock.
Per namespace API locking provides a more granular tool for incident response that helps the operator to focus on locking one or more namespaces instead of the sealing the entire Vault. The feature is particularly helpful in multi-tenant environments where sealing Vault is too heavy a response that affects all tenants.
If you are unfamiliar with enterprise namespaces, review the Multi-tenancy with Namespaces tutorial.
Create namespaces and enable auth method
(Persona: operator)
Before you try the API lock feature in your Vault server, create two namespaces, a teams namespace and a drivers namespace that is a descendant of teams
.
Create the teams namespace.
Create the drivers namespace as a descendant of the teams namespace.
Enable a username and password auth method in the drivers namespace.
Create a driver user within the drivers namespace.
Test auth method
(Persona: driver)
Test authentication of the driver user with the userpass auth method in the teams namespace.
Successful output resembles this example.
Lock API in drivers namespace
(Persona: operator)
After successfully testing the authentication, login with the root token again.
Lock the API in the drivers namespace.
The unlock key is returned; this key must be used to later unlock the API.
Test auth method again
(Persona: driver)
With the API locked for the drivers namespace, attempt to authenticate as the user driver with the userpass auth method.
A helpful error is returned indicating that the namespace is locked.
Unlock API in drivers namespace
(Persona: operator)
Use the unlock key previously returned to unlock the API in the drivers namespace.
Successful execution results in no output.
Test auth method for the last time
(Persona: driver)
Test the authentication once more to show that the unlock was successful.
With the API locked for the drivers namespace unlocked, attempt to authenticate with the userpass auth method as the user driver.
The result should be a successful login.
Cleanup
If you wish to clean up your environment after completing the tutorial, follow the steps in this section.
Unset the environment variables.
You can stop the Vault server by pressing Ctrl+C where the server is running. Or, execute the following command.
Remove the scenario environment directory.
Summary
You learned about two important features for incident response available in Vault. You learned about sealing an unsealing Vault, a feature available in all Vault editions.
You also learned about per namespace API locking and unlocking, a feature available only in Vault Enterprise editions.