====== Using Hashicorp Vault for Encryption Secret Management ======

===== Disclaimer =====
 The information in this document is provided on an as-is basis. You use it at your own risk. We accept no responsibility for errors or omissions, nor do we have any obligation to provide support for implementing or maintaining the configuration described here. Furthermore, we do not warrant that the design presented here is appropriate for your requirements.



===== Introduction =====

Access Anywhere can use one of two methods to store the secret used for at-rest Encryption of files. 
  - Access Anywhere Maintained Secrets in the Metadata Database
  - Externally maintained Secrets in Hashicorp Vault

This guide steps you through the configuration of Hashicorp Vault and Access Anywhere for the second option. 

Installation of Vault is out of scope of this document and can be viewed here:
[[https://www.vaultproject.io/docs/install/|Hashicorp Vault - Install]]

===== Hashicorp Vault Configuration =====

Once the vault has been installed, you will need to complete the deployment and create the secrets engine for the NAA storage. 

==== Deploying the Vault ====

Following the instructions here: [[https://learn.hashicorp.com/vault/getting-started/deploy|Hashicorp Vault - Deploy]]

==== Initialize your vault ====
<code>
vault operator init
</code>
<code>

Unseal Key 1: ....
Unseal Key 2: ....
Unseal Key 3: ....
Unseal Key 4: ....
Unseal Key 5: ....

Initial Root Token: s.....

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.
</code>

==== Unseal Vault ====

Using the Unseal keys generated above: 

<code>
 vault operator unseal
</code>
This command will need to be run multiple times before the vault is unsealed, depending on your vault configuration this may be 3 or more unseal keys. 

When unsealed you will see

<code>
vault status
</code>

<code>
Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false 
</code>

==== Create Secrets KeyValue Store ====

<code>
vault secrets enable -path=secret/ kv
</code>

====== Access Anywhere Setup ======

==== Enable Key Management System ====

Logged in as the Org. Admin, go to:
//Organization > Policies > Key Management Systems//

Select //"Vault"// from Encryption Key Management System. 

You will enter the Vault URL and the Root Token, and click //Test Settings//. 

If this comes back with an error, check to ensure the URL and Token are correct, and that Access Anywhere can connect to Vault successfully. 

When the test is successful, click// "Set Key Management System"//. 

==== Enable Folder Level Encryption ====

//Organization > Policies > Encryption// 

Define a secure passphrase and enter that in //"Encryption phrase to encrypt Team files:"//. 

This passphrase will be saved in the external vault that you just setup and configured. 

From there you can adjust the settings for which folders are encrypted and click //"Update Policies"//