Vault Security Model Integrity


I am reading the Vault Security Model page and am stuck on the following

Blockquote The overall goal of Vault’s security model is to provide [confidentiality, integrity, availability, accountability, authentication].

I cannot seem to find any documentation on how Vault ensures integrity.

Example: I store a secret in the KV Secrets Engine. It is encrypted and access to it is guarded by using authentication and every request can be tracked using an audit device. I save a hash of the secret and store it in my application for comparison in the future.

How can I make sure that the secret has not been tampered with from Vault itself or otherwise?

How does Vault ensure the integrity of the stored data?

1 Like

As far as I know there is nothing for this, or well “this depends”. The only direct insurance there is belongs (to my knowledge) to data in transit or the enterprise transit engine with FF3-1 encryption.

Quoting my “this depends” since the data on your storage is encrypted. This means that before this can be changed the data first must be decrypted.
For this the attacker needs to:

  1. Have access to the encrypted data
  2. The encryption key (which is made harder to obtain through Shamir’s Secret Sharing technique)
  3. Write access to the backend. The same document also states that having this the integrity of data may be compromised.

With all of this combined I would say that you can ensure integrity on some level.

1 Like

You can track the changes to secrets using audit_logs – you can’t see the secret but with a trace of the logs you can see the request for the change.