Concerns over using Vault through Cloudflare - is it a lost cause?


I’ve been wrestling with the idea of whether it is wise to allow your vault HTTP endpoint to be accessed in-line with our Cloudflare configuration.

The Cons of how I see it:
i) Mandatory TLS inspection including payload body
ii) No way to stop that unless you disable SSL for the entire domain.

I’m learning and reading most of the vault documentation - but I’d wonder if anyone could set me on a good path as to this issue - and how it could be mitigated. Basically a case of expecting that the TLS connection is not publicly accessible, but it’s accessible to cloudflare - and assuming they can see every request and decrypt it - what can be done?

(not implying cloudflare are doing anything malicious, but more just good standards on our part)

How we ended up doing it for future readers:

Client generates an AES key, uses public key to wrap it. Server then connects to vault using dedicated connection, server then wraps private key with AES secret. Client unwraps private key.