Vault on offline desktop PC


I need to solve a problem of local password storage on a computer. Possibly not connected to the internet, but still filled with unique passwords and secret of all sorts that need to be served to various applications running on that PC.

I was told Vault can be used for that purpose. However, I have only been able to find Vault executables for desktop Windows that only provide CLI for a Vault server backend. Does that mean that I would need to run a Vault server on the PC in order to get the whole service up and running? And as an aside to that, that also means that I would need to unseal the server every time the PC is restarted - and that means user interaction every time?

Could anyone please confirm my conjectures or show me how to achieve it simpler?

Thanks a lot.

Is this a server running always on services that begin as soon as the machine starts or a desktop machine where a user is just needing secrets for some of the applications they might use during their day to day work?

If it is the second it sounds like Vault might not be the best fit. Instead a password manager application or service might suit you better. Often they will have integration with web browsers to auto-fill passwords, etc. which is pretty handy.

Hi Stuart,

it is something in between. The PC is a part of an industrial machine (and has several more LAN connections to further boards within the machine, accessible via SSH keys or username/password), is regularly restarted (too often to consider it a server) and provides a UI for the industrial machine functionality. However, the UI app needs to access some of the extra boards to get them working as per user requirements set via the UI app - and needs to know, how.

Ideally, the user shall be abstracted from the whole secret management, as they only need to know how to work with the UI app, nothing else.

Does that still fit Vault use cases?

Thank you.

The two main issues you will face are:

  1. Authenticating every time the machine restarts. You need to have some way of entering the decrypt key (which is true for any secret system, not just Vault).

  2. Getting the secrets into the application. Presumably you aren’t able to modify the applications, so how would you enter the details (would a user have to just copy & paste?)

What is it you are trying to protect against? If the machine is sitting in a less secure area then it sounds like you need to look at physical security & access control (people have to login in some way before they can do things instead of just moving the mouse/starting to type).

If you are worried about the machine being stolen maybe a full disk encryption tool might be useful?

Could you describe what you see as currently being “broken” and what you are trying to prevent/protect against?

Yes, that is IMO the main problem with running Vault locally on an offline PC. But I’m trying to see whether it is the only problem.

Actually we own the applications and can easily modify them - so that is not a problem. The problem is to set up some sort of a local service that keeps the secrets reasonably secure and provides them to the applications when they need it, preferably via some API.

The whole problem has arisen due to SB-327. Hitherto, passwords had been hardcoded or lying around in config files. Now, all must be unique and strong enough, but the apps still need to know and currently don’t have a proper way to know. We are not trying to fully secure against a rogue user (even though we’d like to keep them off the secrets), we are rather looking for ways to get the apps working with little to no user interaction - and build in at least some hurdles to put off a script kiddie just in case.

But perhaps this is already off-topic :slight_smile:

Kind regards

Unless you have a good form of authentication on a per-user basis you will still in effect have “hardcoded or lying around secrets” regardless of the system you are using to store them.

As soon as you are logged into Vault/a password manager you have access to every secret your permissions allow, so if you just authenticate when the machine starts and then people can freely use the machine without extra authentication (can just start typing without logging in, etc.) there would be nothing stopping those secrets being obtained - not really much different to looking in a config file on the machine.

Vault is really designed more for the multi-user/application, multi-system scenario where it is centrally hosted. Normally you’d then have systems connecting which themselves are servers with no/minimal usage from direct users.

Perfect, that is the description I have been looking for.

My takeaway is therefore that Vault is not well suited for running a secret retrieval service in an offline PC scenario, running on Windows along with other applications. (Or rather it might be tweaked into it, but it’d be a hassle.) Am I right?

Thank you for your insights.