How to store secrets of a Spring Boot application in HashiCorp Vault securely?

Question

I've read following tutorial:Vault Configuration

Ok we installed the Vault server and put 2 pairs of secret properties:

$ vault kv put secret/gs-vault-config example.username=demouser example.password=demopassword
$ vault kv put secret/gs-vault-config/cloud example.username=clouduser example.password=cloudpassword

Spring boot application has following properties(bootstrap.properties):

spring.application.name=gs-vault-config
spring.cloud.vault.token=00000000-0000-0000-0000-000000000000
spring.cloud.vault.scheme=http
spring.cloud.vault.kv.enabled=true

So based on spring.cloud.vault.token application able to read secure properties(name and password) but spring.cloud.vault.token is stored in the insecure place - bootstrap.properties which is stored in the code repository. Could you please explain why it is safe?

P.S.

As we found out it is insecure. How to make it secure ? I understand that there are might be several solutions to make it secure but single simplified example would be enough for me.

Answer 1

Could you please explain why it is safe?

The answer is that it is NOT safe ... if you do it that way. For example, the Spring Vault reference manual says:

"Consider carefully your security requirements. Static token authentication is fine if you want quickly get started with Vault, but a static token is not protected any further. Any disclosure to unintended parties allows Vault use with the associated token roles."

You should either protect your static tokens, or only grant them access to "secrets" in the vault which you are happy to be widely known.

Alternatively, have your application use an authenticated method to generate short-term dynamic tokens.

---

As I understand initial problem it is bad to store passwords in an application.properties file on Github.

And storing a static Vault token in an application.properties file on Github is equally as bad.

What is the difference ?

There is almost no difference¹. This is simply the wrong way to use Vault.

---

^{1 - There is a small advantage in that you could invalidate the token if you discover it leaked by accident. But this doesn't mean that it is sensible to publish it deliberately.}

---

So how do you do things securely?

First, you MUST secure the machines where the secrets are going to be used. Even if you are not going to store the actual secrets on disk, you will need to store a different secret (securely) on each of your machines so that they can authenticate themselves to the place where the real secrets are kept.

Here is an example using Chef.

1. Set up a secure Chef server that holds the configs for your machines; i.e. recipes for all of the things that need to be installed, node descriptions to say what recipes to apply, etc.

2. When you bootstrap a machine as a node, a keypair is generated for the machine and registered with the Chef server. The keypair is also held on the machine, and has to be held securely.

3. Then you use the Chef client to run the recipes that install and configure your server.

Note that this relies on having a properly secured system to run the Chef server. It also relies on each of the nodes being sufficiently secure to protect their own keys.

There are other ways to do this, but nothing will work if you cannot secure your host sufficiently.