Skip to content

katvio/vault-secure-enclave

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
NOTES.txt
NOTES.txt
 
 
README.md
README.md
 
 
config.hcl
config.hcl
 
 
enclaver.yaml
enclaver.yaml
 
 
entrypoint.sh
entrypoint.sh
 
 
generate-cert.sh
generate-cert.sh
 
 

Repository files navigation

Run Hashicorp Vault in a Nitro Enclave

Courtesy of Enclaver.

Security Benefits:

  • Automatic unsealing only possible from the trusted enclave image
  • Impossibility of introspecting or reconfiguring the environment inside the enclave
  • No shell access to the enclave
  • Cryptographic attestation ensures Vault only unseals in a known trusted state.
  • Use of AWS KMS for auto-unsealing, with policies that ensure only the genuine Vault image running in an enclave can access the unseal key.

TODO:

  • Network Segmentation: The current setup uses --net=host, which gives the container full access to the host's network stack.
  • Stop using a privileged container (--privileged flag)
  • IaC: Terraform + Ansible
  • Better manage initial secrets: stop to handle manually sensitive information like KMS key IDs and Vault tokens
  • integrating with a proper certificate authority (not self-signed)
  • Improve Vault internal Configuration (auth, ACLs, etc)
  • TLS everywhere (consul etc)
  • backup and restore procedures for the Vault data.
  • HA multi-node Vault
  • Monitoring and Logging
  • external identity providers

About

Run HashiCorp Vault inside an AWS Nitro Enclave

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages