Open-source software vendor HashiCorp is getting into the security business with the initial release of the Vault project. HashiCorp is best known for its DevOps tools, particularly its widely used open-source Vagrant application that enables developers to reproduce developer environments easily.
The Vault project is a new open-source tool aimed at safely and securely storing secrets. Those secrets include passwords, security certificates, API keys and tokens. The idea of a security secrets manager is not new, said Kevin Fishner, director of customer success at HashiCorp. In fact, key and secret managers, such as Venafi or Hardware Security Modules (HSMs), are the main competition for Vault, he said.
“The main Vault differentiator is key rolling and key leasing,” Fishner told eWEEK. “Keys have a short period of usability and have strict permissions, so even in the event of a compromise, the attacker’s time and surface area windows are drastically limited.”
In modern IT infrastructure, many organizations will tie their secrets to some form of identity or access control system, such as Microsoft’s Active Directory or a Lightweight Directory Access Protocol (LDAP) system.
“We have no direct integration with LDAP systems; however, Vault could be used to manage the keys for those identity/access systems,” Fishner said. “Unique keys can be generated per user and provide an audit log for all accesses.”
The technology for Vault is not really built “from scratch,” but rather integrates existing technologies in a practical and novel way, he said.
One such example is the use of Shamir’s Secret Sharing. “By default, Vault uses a technique known as Shamir’s Secret Sharing algorithm to split the master key into 5 shares, any 3 of which are required to reconstruct the master key,” the Vault project documentation states.
Although Vault is able to handle multiple types of secrets, in the initial release, the system does not act as a Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate authority (CA). A CA is a core security component to help ensure the integrity and authenticity of SSL/TLS certificates used to secure Web data traffic.
“Vault will be a certificate authority system,” Fishner said. “The feature set isn’t in v0.1, but the plan is to add it in later versions.”
Vault can be deployed as an independent system, which the applications and services in an organization’s architecture use for access control, he said.
“In terms of the DevOps lifecycle, Vault should be a foundational aspect deployed with any architecture you want to keep secure,” Fishner said. “Too often, security is an afterthought in application lifecycle management.”
HashiCorp has been busy in recent months building out a broad vision for DevOps lifecycle technologies. In December, the company announced that it raised $10 million through a Series A round of funding.
HashiCorp’s open-source tools include Vagrant for development, Packer for code packaging and Teraform for code deployment. HashiCorp is also building out its Atlas software-as-a-service commercial tool for running and managing the entire software development process.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.
