1. 17

  2. 2

    Will this tool be able to replace tools like KeePassX and LastPass? Or is it for something completely different?

    1. 4

      This is something different. KeePassX and LastPass are password managers. Vault is designed to solve the problem of managing secret data in a production infrastructure.

      1. 3

        This is something I see people are starting to understand (from the keywhiz post):

        A microservice architecture rapidly increases the number of secrets. Without a centralized system, secret files can be misplaced, copied, and/or forgotten over time

      2. 1

        Within Vault, data is split into multiple backends. For example, when you write data to secret/foo, it is communicating with a different secret backend than when you read a PostgreSQL credential from postgresql/creds. Each backend is given a restricted view to the backend data. The backend at secret/foo can never access the data at postgresql/creds, for example. This isn’t just an ACL; the backends themselves simply do not have a way to address data from other backends. This ensures that even within Vault there is protection against malicious activity.

        Anyone know how it actually does this? Does it run each backend in a container or VM or process? What is to stop, for example, a backend from walking the memory of the vault process?

        1. 2

          Backends can’t be plugins, meaning they’d have to accepted via PR into the codebase. The only way to walk the memory space of Go is to use unsafe pointers and that would be really obvious in a code review. So unless you’re running a fork with custom backends that you wrote that happen to walk memory space with unsafe pointers, your data is going to be safe (from backends within Vault).

          1. 1

            Thanks. IMO the wording is a bit misleading. Backends do have a way to address data from other backends, you just rely on humans from letting that code in. I would have expected a qmail-style architecture where each backend runs in a different process under a different user and communication is only through some sort of I/O channel.

            But Vault looks quite nice. Clean.