The information in this document is provided on an as-is basis. You use it at your own risk. We accept no responsibility for errors or omissions, nor do we have any obligation to provide support for implementing or maintaining the configuration described here. Furthermore, we do not warrant that the design presented here is appropriate for your requirements.
Access Anywhere can use one of two methods to store the secret used for at-rest Encryption of files.
This guide steps you through the configuration of Hashicorp Vault and Access Anywhere for the second option.
Installation of Vault is out of scope of this document and can be viewed here: Hashicorp Vault - Install
Once the vault has been installed, you will need to complete the deployment and create the secrets engine for the NAA storage.
Following the instructions here: Hashicorp Vault - Deploy
vault operator init
Unseal Key 1: .... Unseal Key 2: .... Unseal Key 3: .... Unseal Key 4: .... Unseal Key 5: .... Initial Root Token: s..... Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
Using the Unseal keys generated above:
vault operator unseal
This command will need to be run multiple times before the vault is unsealed, depending on your vault configuration this may be 3 or more unseal keys.
When unsealed you will see
vault status
Key Value --- ----- Seal Type shamir Initialized true Sealed false
vault secrets enable -path=secret/ kv
Logged in as the Org. Admin, go to: Organization > Policies > Key Management Systems
Select “Vault” from Encryption Key Management System.
You will enter the Vault URL and the Root Token, and click Test Settings.
If this comes back with an error, check to ensure the URL and Token are correct, and that Access Anywhere can connect to Vault successfully.
When the test is successful, click “Set Key Management System”.
Organization > Policies > Encryption
Define a secure passphrase and enter that in “Encryption phrase to encrypt Team files:”.
This passphrase will be saved in the external vault that you just setup and configured.
From there you can adjust the settings for which folders are encrypted and click “Update Policies”