Vault is a popular and nicely designed secret management system. We maintain a hardened version of Vault that runs with Scone. It addresses the following issues:
Vault keeps secrets in the clear in the main memory. Even if a secret is encrypted when stored externally, they are stored in the clear in main memory, e.g., just before they are sent to a client. An attacker with root access could hence dump the memory of Vault to retrieve the secrets.
Vault's encryption key to read from and to write to the external storage is stored in the main memory. Again, an attacker could dump the memory to gain access to Vault's encryption key.
We maintain a container image registry.scontain.com/sconecuratedimages/apps:scone-vault-latest which
- contains the latest version of Vault (1.5.3),
- runs inside of an SGX enclaves (default is a pre-release enclave),
- on top of Alpine Linux
This protects against dumping of the main memory (- when run in release mode).
This image also contains a demo that you can try out. This demo shows how to set up the configuration of an nginx instance.
To run this demo, you first need to checkout the demo repostiory:
git clone https://github.com/scontain/scone-vault cd scone-vault
cat > docker-compose.yml <<EOF version: '3.2' services: vault: image: sconecuratedimages/apps:vault-1.5.3-alpine-scone5 command: sh -c "cd build_dir && ./start_vault.sh" environment: - VAULT_DEV_ROOT_TOKEN_ID=RootToken volumes: - ./:/build_dir cap_add: - IPC_LOCK scone-vault-nginx: image: sconecuratedimages/apps:nginx-1.14.2-alpine-scone5 environment: - URL="http://vault:8200" - INDEX=nginx - VAULT_ADDR="http://vault:8200" - TOKEN=RootToken command: sh -c "cd build_dir && ./install-deps.sh && ./bench.sh" volumes: - ./:/build_dir depends_on: - vault EOF
Next, try it out by executing:
Please ensure to execute
before starting it with up again.
Note that the script
start_vault.sh is used to start Vault server and inject some secrets used for Nginx.
You can perform the individual steps manually as described below.
Run the demo container using docker-compose:
docker-compose run scone-vault-nginx sh
Go to the deployment directory:
Now, run the benchmark to test if SCONE Vault is setting up the configuration for Nginx.
Integration with SCONE CAS
For added security, we recommend the following to run Vault in a release enclave to prevent attackers from dumping the content of the Vault enclave and to integrate the execution of Vault with SCONE CAS such that
the command line arguments and environment variables are passed to Vault in an encrypted fashion
stdin/stdout/stderr of Vault are encrypted
CAS can pass a TLS private / public key to Vault
the Vault encryption key can be stored by SCONE CAS
Vault's HSM PIN pin can be specified by the VAULT_HSM_PIN environment variable. We can securely set the environment variable with the help of SCONE CAS since SCONE can pass encrypted environment variables to applications.
Please contact us, if you are interested in a setup together with SCONE CAS.