Securing a secret, whether it’s a password, sensitive information or a cryptographic key, is hard to get right. Hashicorp’s Vault attempts to remove the headaches by providing simple APIs no matter what form the storage back-end takes. I have just finished a report which looks into part of the implementation of Vault to show the mechanisms used to protect user’s secrets.

The report, which can be found below, also attempts to explain the maths behind one of the schemes used to protect encryption keys in an accessible way.

The Report: Unsealing the Vault

tl;dr

Vault 0.6.0 provides a strong implementation of Shamir’s secret sharing scheme to protect the key(s) used to encrypt sensitive data. Appropriate packages are used for the cryptographic operations and precautions are taken to protect against common attacks. This ranges from the correct use of finite field theory to providing support for encrypting the shares ready for secure transit after generation. Key rotation is also supported for both the encryption key and the master key.

While not all properties of Shamir’s secret sharing scheme have been utilised, the necessary functionality has been provided to keep secrets safe.