I’m new to Vault, so forgive me if this questions has been asked elsewhere. Vault allows me to store many key/values in a secret engine. In order to retrieve a value for a key I need to provide a token. Presumably, the token is stored in clear text on the server that needs a value for a ke. This is very much like a Java keystore (except a keystore is generally a local file). If the token is stored in the clear, then if an attacker gains access to the server then they then have access to the token and therefore able to obtain the key values from the vault. What is the Vault value proposition if the attacker can easily obtain values from the Vault given that the token is not protected.
You should get familiar with the conecept of policies:
There is not just one global token. Tokens are issued in accordance with policies that should explicitly allow access to secrets, but prohibit the rest.
Furthermore, the token does not have to be stored in the plain text on the server. And if it did, it could be wrapped beforehand with a response token, meaning it could be additionally protected.
And if you land on the server with the user who has the permissions to read the token, you may “deserve” to get it … just kidding. : D
Thank you for your reply. I completed my homework now I now see how policies can be used to limit the damage of a breach of the key being compromised. So, that helps stem the bleeding.
Response Wrapping of a limited timed token in a cubbyhole also helps by targeting the access of a token to just one client for a limited amount of time. So, it certainly reduces the risk even further but does not eliminate it because a token is required to unwrap the wrapped token.
I discovered that there is actually a name for this problem - the secret zero challenge!
I found the following article to be pretty good at explaining this. The solution, according to this article is to obtain the token you need to unwrap from a source that is already trusted.