Before you start managing your secrets using Vault, the first step is to deploy a Vault cluster. Day 1: Deploying Your First Vault Cluster track is designed to help you navigate through the Day 1 operations.
»Vault Deployment Reference Architecture
Vault Reference Architecture helps you make decisions about how to design your Vault cluster(s) using Consul as storage backend.
NOTE: Consul provides durable storage to persist the Vault's data. It is equally important to understand the Consul architecture. Refer to the Consul Reference Architecture guide if you are new to Consul.
»Vault with Integrated Storage Reference Architecture
This guide provides guidance in the best practices of Vault implementations using the integrated storage (raft) as its persistent storage.
The fundamental difference between Vault's integrated storage and Consul is that the integrated storage stores everything on disk while Consul KV stores everything in its memory which impacts the host's RAM.
Read Production Hardening guide to learn about the best practices for hardening the Vault deployment in production. Let this guide help you make decisions about your Vault deployment and apply when possible.
»Vault Deployment guide
Vault Deployment Guide walks you through the steps to install and configure a single Vault cluster based on the recommended reference architecture. The following steps are described:
- Download Vault binary
- Install Vault
- Configure Consul agent
- Configure Vault server
- Starting Vault
NOTE: Vault deployment involves Consul deployment. If you are new to Consul, refer to the Consul Deployment Guide for the details that are not covered in this guide.
»Vault High Availability with Consul
Unsealing is the process of constructing the master key necessary to read the decryption key to decrypt the data, allowing access to the Vault. By default, Vault uses Shamir's Secret Sharing algorithm to split the master key into shards. This requires a configured number of shared key holders to be present to unseal the Vault server.
Auto-unseal was developed to aid in reducing this operational complexity of keeping the master key secure. The following guides demonstrate the auto-unseal using your trusted cloud provider's key:
- Auto-unseal using AWS KMS
- Auto-unseal using Azure Key Vault
- Auto-unseal using GCP Cloud KMS
- Auto-unseal using Transit Secrets Engine
Refer to the Vault documentation for more details.
»Disaster Recovery Replication Setup
This feature requires Vault Enterprise Pro or Vault Enterprise Platform.
It is inevitable for organizations to have a disaster recovery (DR) strategy to protect their Vault deployment against catastrophic failure of an entire cluster. Disaster Recovery Replication Setup guide walks you through the steps to set up the DR replication.
»Setting up Performance Replication
This feature requires Vault Enterprise with Multi-Datacenter & Scale module.
When you have multiple datacenters, data replication across the datacenters can improve the overall performance.
Setting up Performance Replication guide step through the activation of performance replication as well as Vault performance replication management.
Also, refer to the Monitoring Vault Replication guide.
»HSM Integration - Seal Wrap
This feature requires Vault Enterprise with Governance & Policy module.
If your organization cares about Federal Information Processing Standard (FIPS) to encrypt your data for security, integrate Vault with FIPS 140-2 certified HSM and enable the Seal Wrap feature to protect your data. By enabling seal wrap, Vault wraps your secrets with an extra layer of encryption leveraging the HSM encryption and decryption.
HSM Integration - Seal Wrap walks you through the following steps:
- Configure HSM auto-unseal
- Enable seal wrap
- Test the seal wrap feature