Auto-Unseal in an on-premise VMWare environment

I’m trying to wrap my head around the options that are available to us in a VMWare environment. We are currently testing Vault in a 3-node HA environment deployed to a vSphere cluster (with a Consul backend) and would prefer the utility of the auto unseal feature since we often do routine maintenance on the vSphere hosts.

The problem is I don’t quite understand how any of the existing auto-unseal options fit into the VMWare environment. The cloud provider options seem to all rely on instance metadata in order to securely decrypt the master key which leaves the HSM option (we don’t have) or using another Vault instance (which just passes the baton down the line).

I tried adapting one of the cloud solutions, AWS KMS specifically, but the only options for providing the necessary IAM credentials is through the filesystem (insecure) or via environment variables. What I don’t really understand is how, theoretically speaking, the IAM credentials don’t then essentially become equivalent to the unseal key(s)? Anyone with the credentials can start vault and unseal it since the credentials must have decrypt permissions against the KMS key. So, functionally speaking, wouldn’t passing the IAM credentials to Vault via the filesystem or environment variable be equivalent to passing the unseal key(s) in a normal deployment and using something like Bash to automate the unsealing process?

I guess what I’m getting as is it seems the cloud solutions don’t really work for on-premise deployments which only leaves the option for an HSM. Is that correct?

1 Like