Using Hashicorp Vault for Encryption Secret Management
The information in this document is provided on an as-is basis. You use it at your own risk. We accept no responsibility for errors or omissions, nor do we have any obligation to provide support for implementing or maintaining the configuration described here. Furthermore, we do not warrant that the design presented here is appropriate for your requirements.
SME designs, implements and supports File Fabric Vault solutions for customers on a paid professional services basis. For more information please contact email@example.com
The Enterprise File Fabric can use one of two methods to store the secret used for at-rest Encryption of files.
- File Fabric Maintained Secrets in the Metadata Database
- Externally maintained Secrets in Hashicorp Vault
This guide steps you through the configuration of Hashicorp Vault and the Enterprise File Fabric for the second option.
Installation of Vault is out of scope of this document and can be viewed here: Hashicorp Vault - Install
Hashicorp Vault Configuration
Once the vault has been installed, you will need to complete the deployment and create the secrets engine for the SME storage.
Deploying the Vault
Following the instructions here: Hashicorp Vault - Deploy
Initialize your vault
vault operator init
Unseal Key 1: .... Unseal Key 2: .... Unseal Key 3: .... Unseal Key 4: .... Unseal Key 5: .... Initial Root Token: s..... Vault initialized with 5 key shares and a key threshold of 3. Please securely distribute the key shares printed above. When the Vault is re-sealed, restarted, or stopped, you must supply at least 3 of these keys to unseal it before it can start servicing requests. Vault does not store the generated master key. Without at least 3 key to reconstruct the master key, Vault will remain permanently sealed! It is possible to generate new unseal keys, provided you have a quorum of existing unseal keys shares. See "vault operator rekey" for more information.
Using the Unseal keys generated above:
vault operator unseal
This command will need to be run multiple times before the vault is unsealed, depending on your vault configuration this may be 3 or more unseal keys.
When unsealed you will see
Key Value --- ----- Seal Type shamir Initialized true Sealed false
Create Secrets KeyValue Store
vault secrets enable -path=secret/ kv
File Fabric Setup
Enable Key Management System
Logged in as the Org. Admin, go to: Organization > Policies > Key Management Systems
Select “Vault” from Encryption Key Management System.
You will enter the Vault URL and the Root Token, and click Test Settings.
If this comes back with an error, check to ensure the URL and Token are correct, and that the File Fabric can connect to Vault successfully.
When the test is successful, click “Set Key Management System”.
Enable Folder Level Encryption
Organization > Policies > Encryption
Define a secure passphrase and enter that in “Encryption phrase to encrypt Team files:”.
This passphrase will be saved in the external vault that you just setup and configured.
From there you can adjust the settings for which folders are encrypted and click “Update Policies”