Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

My issue with Vault is it has no history. If someone goes in and changes a password from 'foo' to 'bar'. I have no way to know it used to be 'foo'. In a production environment where the password might be stored in a internal user database of an application(mysql, rabbitmq, etc), not having history is a no go.


From https://www.vaultproject.io/docs/audit/

  Because every operation with Vault is an API request/response,
  the audit log contains every interaction with Vault, 
  including errors.

  The data...will be hashed with a salt using HMAC-SHA256.

  The purpose of the hash is so that secrets aren't in 
  plaintext within your audit logs. However, you're still
  able to check the value of secrets ...by using the 
  /sys/audit-hash API endpoint
Does this not cover your use-case?


Is the audit log insufficient? https://www.vaultproject.io/docs/audit/index.html

For security reasons it doesn't include raw secrets, but the hash is enough to tell you if it matches some known value.


"pass" [1] is a git-based command-line secrets manager and has many third-party GUI, web and mobile app interfaces around.

[1] https://www.passwordstore.org/


Have you integrated it with Vault? Are there any detail on doing so?


I've not used it with Vault (I don't know much about Vault) nor in a group, but it basically is a tool for managing a bunch of gpg-encrypted files in a given directory tree, and it uses git for version control and database distribution / synchronisation, and allows for encrypting for multiple GPG recipients. See man page [1], the FILES section especially.

[1] https://git.zx2c4.com/password-store/about/


Haven't done it myself, but I would probably have a git post-receive hook trigger a service (jenkins?) to pull down and decrypt the secret repo and update vault




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: