Very very new to Vault and the concepts behind it - but trying to figure out how best to protect Vault from being hacked by someone gaining physical access to a client utilising Vault.
Client app sitting on host on client’s network contacting public facing Vault
IP of client’s public IP could change
IP could be spoofed by bad actor
If the client app uses either token or even TLS certs to authorise against Vault, someone with physical access can get hold of the token or cert files and then use them from somewhere else (CIDR restrictions not really useful due to spoofing and/or client public IP changing outside of our control).
Is there a solution to this? I.E. someway that you can protect against physical access to the client?