HashiCorp Vault can be used both for storing encryption keys and database credentials. Using Vault helps ensure that secrets are maintained in a secure and robust way. For both keys and credentials, the JumpWire engine will treat Vault as the source of truth once configured. Restarting or even fully deleting and recreating the cluster will cause credentials to be loaded from Vault without data loss.
Backing up Vault is critical, particularly when storing encryption keys. See the Vault tutorial
for details on how to setup data backups.
Vault is enabled by setting either a token or AppRole ID and secret in the engine at runtime. See the Configuration page for all configuration options.
JumpWire can be configured to use HashiCorp Vault for managing encryption keys. Keys are initially generated in the JumpWire engine and then stored in a Vault KV backend. The next time that the engine starts up, it will retrieve the stored keys from Vault instead of generating new ones.
Authentication with either the AppRole or Token methods are supported. JumpWire needs to have write access to a KV path in Vault. The base path can be configured by setting JUMPWIRE_KV_PATH. Using v2 of the KV secrets engine is recommended.
Since the stored keys allow decryption of any encrypted data without going through JumpWire policies or authorization, the KV paths in Vault should be restricted to a minimal set of allowed administrators.
JumpWire will store encryption keys under the provided path.
The master key is stored at /master_key . A new key will automatically be generated if one is not found. Subkeys are stored under the path /aes_keys.
JumpWire can use dynamically generated credentials from Vault to authenticate to a database being proxied. Databases and roles under the provided mount point are listed and shown in the UI when configuring a new proxy.
The database mount point can be configured by setting VAULT_DB_PATH. Dynamic credentials are generated when a client connects to the JumpWire engine, and automatically renewed at half of the configured TTL - eg setting a 1-hour TTL will cause the credentials to try to renew after 30 minutes.
The role used must have broad permissions on the proxied database to enable in-database encryption. An example role for proxying the user_info database in a PostgreSQL server is shown below:
As an alternative to using generated credentials from Vault, JumpWire can also store static credentials using the Vault KV store. This works almost identically to the encryption key storage described above.
When a Databases is created or updated and the JumpWire engine is set to use static credentials from Vault, the credentials entered in the UI are stored in the Vault KV mount. The mount path can be configured by setting VAULT_KV_PATH.