What Is a Kubernetes Secrets Vault and Why Do You Need One?
Secrets management is an important topic for organizations of any size. Especially with cloud computing and microservices, we have to take care of more and more secrets. Defining processes around creating and distributing secrets is a challenge. But where do you store all these secrets securely? That’s where secrets vaults come into play. In this post, you’ll learn what secrets vaults actually are and why you should use them.
Where Should You Keep Your Secrets?
The three most popular places where you can keep your secrets these days are your Git repository, your Continuous Integration/Continuous Delivery (CI/CD) system, or a secrets vault.
Git Repository
Storing your secrets in a Git repository is easy but also very insecure. You may be thinking, “But my Git repository is private.” Sure, storing secrets in public repositories would essentially make them very non-secret. But making your repository private doesn’t make your secrets safe. There are a few issues with Git-stored secrets.
First of all, in most cases, many people have access to the company repository. Secondly, by definition, Git is designed to allow collaboration between developers and teams. Therefore, granting access to and forking repositories is quite common.
You may, at some point, simply forget that you have secrets in some repository that you just decided to share with other teams. You may also make the easy mistake of committing to the wrong repository, and your secrets will end up in public instead of a private repository. That’s how many data leaks happen. But also, unless you take extra steps, the secrets in your repository will be stored there in plain text.
CI/CD
The second option is using your CI/CD pipelines to store secrets. This is already a way better solution than using a Git repository. Most modern CI/CD systems have some sort of secrets management systems built in. It could be either just simple “secret” type of variables that you can set, or some more complicated systems that help you to secure your secret along the whole CI/CD process. No matter what your CI/CD system is capable of, the general idea of storing your secrets in a CI/CD system isn’t bad. It’s easy to implement, and it’s relatively secure.
The problem is that it has limited use. You’ll only be able to use it for your deployment purposes. Also, an issue may arise when you decide to change your CI/CD tool. Some companies also allow different teams to use different CI/CD systems, so your security management won’t be consistent.
Secrets Vault
And that brings us to the third option: secrets vaults. As the name suggests, we are talking about a tool that’s specifically designed to take care of your secrets. It’s like a password manager for your infrastructure and application needs. Secrets vaults often come as part of your cloud provider offerings, but you can also install third-party secrets vault on your own. The benefit of using a secrets vault from your cloud provider is that it’s there by default. Therefore, it’s easy to implement, and it usually integrates nicely with other cloud services. On the other hand, third-party vaults may offer more functionality and be a little more flexible, especially if you use multiple cloud providers.
As mentioned before, a secrets vault is a dedicated tool to keep secrets safe. Therefore, by definition, it will be the safest place to keep your secrets. Unlike CI/CD, which usually just hides the secret value, secrets vaults will actually encrypt it using modern and secure encryption algorithms. Good secrets vaults also implement extensive access policies and role-based access control. This ensures that your secrets are secure at rest and access to them is also secured.
Last but not least, a secrets vault can be used with pretty much any type of secret for any use case. You can use a secrets vault not only for your infrastructure and application secrets but any other secrets that need to be safely secured. Also, modern secrets vaults integrate nicely with many libraries and other tools to improve your secrets management processes.
How to Use Secrets Vault
Now that you know what a vault is, let’s discuss how to use it. A secrets vault is a standalone tool, which means you need to install and configure it first. How to do it exactly will depend on which vault you want to use. Cloud provider offerings will usually be easier to start with, sometimes, it will be even just a matter of a few clicks. Third-party vaults will, of course, require a bit more to set them up. But at the end of the day, you do it only once, so it’s not really a big disadvantage.
Once your vault is up and running, you can use it similarly to a personal password manager. This means that you save the secret to a vault, it’s stored there securely, and you can request a value for that secret from the vault whenever necessary. That’s a general process. In practice, you get the most benefits of vault if you use it with integrations and libraries that support it.
Advanced Vault Usage
It’s even possible to use vaults in a way that you won’t even know the password at all. And that’s a good thing. For example, you can auto-generate the password for the database during deployment, save that password to the vault automatically using a library, and then import that password to your application on startup.
You can even take one more step and regenerate the password every time your application restarts. By bypassing the need for a human to manually generate and save a password somewhere, you decrease the risk of secrets exposure.
Summary
A secrets vault is a must for anyone taking security seriously. Not only is using a vault the best way to keep your secrets safe, but it also opens many possibilities when using with libraries and vault integrations.