Can't figure out how to protect Vault hack

Background

Very very new to Vault and the concepts behind it - but trying to figure out how best to protect Vault from being hacked by someone gaining physical access to a client utilising Vault.

Scenario

Client app sitting on host on client’s network contacting public facing Vault
IP of client’s public IP could change
IP could be spoofed by bad actor

Confusion!

If the client app uses either token or even TLS certs to authorise against Vault, someone with physical access can get hold of the token or cert files and then use them from somewhere else (CIDR restrictions not really useful due to spoofing and/or client public IP changing outside of our control).

Solution?

Is there a solution to this? I.E. someway that you can protect against physical access to the client?

Hi @dcgsteve, welcome to the community. I’d recommend checking out the security model in our docs for some detailed discussion on this topic.

I think what you’re getting at is closely related to “secure introduction”, and the level of protection you require will depend on your threat model. Vault has a fairly wide selection of auth methods, and some of them allow single-use secrets such as AppRole, and Vault Enterprise has support for MFA, but in general I think physical access to the client is quite a difficult scenario to defend against because auth methods rely on possessing some initial secret material that they can exchange with Vault to prove their identity. If an attacker has that same secret material, then they can spoof the real client.

Finally, it’s worth mentioning an incomplete set of defence in depth layers you may also want to consider:

  • Restrictive ACL policies to limit blast radius of breaches
  • Dynamic secrets where possible to limit duration of breaches
  • Audit logging to enable alerting and retrospective action
1 Like

Thanks for info @tomhjp - am working slowly through docs :slight_smile:

The slight difficulty is that the app is in theory processing requests every few seconds, possibly more often - so I need to weigh security against performance (as the Vault is remote). Fun fun!

Ok - managed to confirm that if someone manages to get on to the physical machine with privileged access then we are no longer responsible for the outcome … although obviously we will try and obscure information as much as possible :slight_smile: