Auto-unseal with transit: manage the token


I use the auto-unseal with the transit engine :

  • 1 ‘master’ Vault for the transit engine
  • 3 ‘prod’ HA Vault for all datas

Our recovery keys and unseal keys are in the hands of differents ‘importants’ people, but we don’t need it often.
We have an operation team to update ‘prod’ Vaults. But how to you manage the token used by the the ‘prod’ Vaults for the transit engine ? is it possible to hide this token to the operation team ?
I want to be easy for them to update ‘prod’ Vault, but if they get this token, they can get all datas. It’s stupid

Thanks you

Calling it stupid suggests you’re not interested in meaningful technical discussion, so I will be brief so as to not waste my own time.

Of course it’s impossible to hide secrets from someone with unrestricted admin privileges.

So the answer is that, if your secrets are critical enough that you can’t fully trust any one invidual, you don’t give any one individual unrestricted admin privileges, and instead require that multiple people acting together and reviewing each other’s actions must perform all operations that can’t be done via more limited automation.

What is stupid? I’m stupid because I forgot to ‘manage’ this element and it expired during my tests.
You’re not wasting your time when you reply on this Discuss. So thank you.
And, since you replied to my topic about immutable VMs, I don’t think i’m against technical discussions.

This token is critical yes. If I understood correctly, it allows access to the transit engine which allows to decrypt the key which allows to decrypt all the data on the Vault.
So I think answering this question, about best practices to manage this token, is not a waste of time.

So, if someone would like to answer: is there a better approach than to monitor the use of this token?

Thanks you