I’m learning Vault to see if I’d like to use it in my service. My main question about Vault is: how does it advance security of credentials?
I understand that managing credentials in one place is good and I see it has fancy functions.
But in my case, I consider using it to replace
.env file on my web server.
.env file is vulnerable when access to my server is somehow snatched by an attacker. The attacker can access to filesystem then attacker can get all credentials.
Let’s say I’m gonna introduce Vault to my system.
- Then all the credentials in .env file will be moved to Vault.
- my server will only hold credential for my server to access to Vault in filesystem. Let’s call this credential
- there should be a process to initialize all credentials before starting service, which will be retrieved from Vault by Foo.
So, if an attacker can get Foo from filesystem, then all credentials are at risk anyway. I don’t see benefits using Vault in security aspect.
Please correct me if I got something wrong.