White paper on the secret sharing implementation in Hashicorp’s Vault

Securing a secret, whether it’s a password, sensitive information or a cryptographic key, is hard to get right. Hashicorp’s Vault attempts to remove the headaches by providing simple APIs no matter what form the storage back-end takes. I have just finished a report which looks into part of the implementation of Vault to show the mechanisms used to protect user’s secrets.

The report, which can be found below, also attempts to explain the maths behind one of the schemes used to protect encryption keys in an accessible way.

The Report: Unsealing the Vault

tl;dr

Vault 0.6.0 provides a strong implementation of Shamir’s secret sharing scheme to protect the key(s) used to encrypt sensitive data. Appropriate packages are used for the cryptographic operations and precautions are taken to protect against common attacks. This ranges from the correct use of finite field theory to providing support for encrypting the shares ready for secure transit after generation. Key rotation is also supported for both the encryption key and the master key.

While not all properties of Shamir’s secret sharing scheme have been utilised, the necessary functionality has been provided to keep secrets safe.

Advertisements

One thought on “White paper on the secret sharing implementation in Hashicorp’s Vault

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s