Data is encrypted at three levels:
- Inside Vault all data is stored encrypted at field level, preventing even the database's administrator from decrypting the data.
- Data in transit between an application and Vault is protected using TLS.
- The Vault database is encrypted at rest (aka disk-level encryption). This is enforced as part of the deployment.
From the application's perspective, accessing and querying encrypted properties and handling encryption is fully transparent.
Vault manages key provisioning and rotation for the encryption keys.
Key management service
Vault uses a key management service (KMS) to sign and verify the encryption keys used for property encryption and decryption. You must define an Amazon Web Service (AWS) or Google Cloud Platform (GCP) KMS when implementing Vault in the cloud for property encryption to be secure. You can configure AWS KMS and GCP Cloud Key Management to use a Hardware Security Module (HSM) in order to increase the security of your key security and to comply with PCI HSM.
All instances of a Vault system should be configured with the same KMS key, as they all work on the same database and rely on the keys being identical. When using multiple Vaults, it is advisable to use a separate KMS and avoid sharing the same KMS key between different systems.
To configure a KMS, set the
PVAULT_KMS_URI environment variable to the KMS key URI using these patterns:
|KMS||KMS identifier prefix||Key URI format|
Vault must have these permissions to be able to use the KMS:
- Sign keys with the KMS
- Verify keys with the KMS
- Get the KMS public key
These high-level permissions have equivalent policies in AWS and GCP that need to be granted to the AWS or GCP authenticated identity where Vault is running.
For Vault to use AWS KMS, the following IAM policy is required (change the
Resource field to the ARN of your CMK or alias):
It is recommended that you follow the principle of least privilege and limit access to
kms:Decrypt actions on the CMK to only the Vault instances to keep the encrypted data secure. This policy should not be granted to any other principals.
For Vault to use GCP KMS, grant the
roles/cloudkms.cryptoKeyEncrypterDecrypter role to the service account running Vault.
It is recommended that you follow the principle of least privilege and limit access to this role only to the Vault instances to keep the encrypted data secure. This role should not be granted to any other principals.
When Vault is started without an external KMS it uses a built-in hard-coded master encryption key. This is convenient for development and testing purposes but is insecure and must not be used in a production environment that requires property encryption.
The Vault roadmap includes support for controlling rotation parameters, complex queries over encrypted data, bring your own key (BYOK) for multi-tenant applications, and more.