Hashicorp Vault is a popular tool for secrets management, encryption as a service, and privileged access management. Organizations use Vault to ensure that secrets are not disseminated in multiple places (configuration files, source control management systems, scripts) and are only accessed by authorized parties . To secure the secrets, Vault encrypts the data using a master key, which is not stored on disk but can be recreated in memory trough a process called Unsealing. Instead of storing the master key, or distributing it to administrators, Vault splits the master key into multiple key-shares that can be used to recreate the master key. This process, documented in the Vault Seal/Unseal documentation, ensures that the master key is not stored at a single place (filesystem, database, etc.), and makes it more difficult to compromise the master key. However, since the master key is not readily available upon Vault startup (or upon host reboot), automating the deployment of Vault securely becomes difficult since coordinated manual operations are required on every node of a Vault cluster.
The Anjuna Unseal tool for Hashicorp Vault secures the Vault unseal tokens with Azure's confidential computing. The unseal tokens are encrypted and accessible only to a secure enclave protected with the Intel® Software Guard Extensions (SGX) technology.
Running the Vault Unsealing process in an Intel® SGX enclave provides the following guarantees: