Skip to content

Scone Vault

Vault is a popular and nicely designed secret management system. We maintain a hardened version of Vault that runs with Scone. It addresses the following issues:

  • Vault keeps secrets in the clear in the main memory. Even if a secret is encrypted when stored externally, they are stored in the clear in main memory, e.g., just before they are sent to a client. An attacker with root access could hence dump the memory of Vault to retrieve the secrets.

  • Vault's encryption key to read from and to write to the external storage is stored in the main memory. Again, an attacker could dump the memory to gain access to Vault's encryption key.

Vault Image

We maintain a container image registry.scontain.com/sconecuratedimages/apps:scone-vault-latest which

  • contains the latest version of Vault (1.5.3),
  • runs inside of an SGX enclaves (default is a pre-release enclave),
  • on top of Alpine Linux

This protects against dumping of the main memory (- when run in release mode).

Demo

This image also contains a demo that you can try out. This demo shows how to set up the configuration of an nginx instance.

To run this demo, you first need to checkout the demo repostiory:

git clone https://github.com/scontain/scone-vault
cd scone-vault
you need to ensure to have a docker compose file with content as follows:

cat > docker-compose.yml <<EOF
version: '3.2'
services:
    vault:
        image: sconecuratedimages/apps:vault-1.5.3-alpine-scone5
        command: sh -c "cd build_dir && ./start_vault.sh"
        environment:
         - VAULT_DEV_ROOT_TOKEN_ID=RootToken
        volumes:
         - ./:/build_dir
        cap_add:
         - IPC_LOCK
    scone-vault-nginx:
        image: sconecuratedimages/apps:nginx-1.14.2-alpine-scone5
        environment:
         - URL="http://vault:8200"
         - INDEX=nginx
         - VAULT_ADDR="http://vault:8200"
         - TOKEN=RootToken
        command: sh -c "cd build_dir && ./install-deps.sh && ./bench.sh"
        volumes:
         - ./:/build_dir
        depends_on:
         - vault
EOF

Next, try it out by executing:

docker-compose up

Please ensure to execute

docker-compose down

before starting it with up again.

Note that the script start_vault.sh is used to start Vault server and inject some secrets used for Nginx.

Details

You can perform the individual steps manually as described below.

Run the demo container using docker-compose:

docker-compose run scone-vault-nginx sh

Go to the deployment directory:

 cd /build_dir/

Install dependencies:

 ./install-deps.sh

Now, run the benchmark to test if SCONE Vault is setting up the configuration for Nginx.

./bench.sh

Integration with SCONE CAS

For added security, we recommend the following to run Vault in a release enclave to prevent attackers from dumping the content of the Vault enclave and to integrate the execution of Vault with SCONE CAS such that

  • the command line arguments and environment variables are passed to Vault in an encrypted fashion

  • stdin/stdout/stderr of Vault are encrypted

  • CAS can pass a TLS private / public key to Vault

  • the Vault encryption key can be stored by SCONE CAS

  • Vault's HSM PIN pin can be specified by the VAULT_HSM_PIN environment variable. We can securely set the environment variable with the help of SCONE CAS since SCONE can pass encrypted environment variables to applications.

Please contact us, if you are interested in a setup together with SCONE CAS.