https://store-images.s-microsoft.com/image/apps.45388.5cc97787-8f2e-4a18-bdc8-8ae135b92069.73e69645-3751-42d8-b6c0-ab0b7de22e88.a7d13606-8b8e-4ed2-8549-0532a4f9f2a9

Anjuna Unseal

Anjuna

Anjuna Unseal

Anjuna

Secure Hashicorp Vault unseal tokens

Hashicorp Vault is a popular tool for secrets management, encryption as a service, and privileged access management. Organizations use Vault to ensure that secrets are not disseminated in multiple places (configuration files, source control management systems, scripts) and are only accessed by authorized parties [1]. To secure the secrets, Vault encrypts the data using a master key, which is not stored on disk but can be recreated in memory trough a process called Unsealing. Instead of storing the master key, or distributing it to administrators, Vault splits the master key into multiple key-shares that can be used to recreate the master key. This process, documented in the Vault Seal/Unseal documentation, ensures that the master key is not stored at a single place (filesystem, database, etc.), and makes it more difficult to compromise the master key. However, since the master key is not readily available upon Vault startup (or upon host reboot), automating the deployment of Vault securely becomes difficult since coordinated manual operations are required on every node of a Vault cluster.

The Anjuna Unseal tool for Hashicorp Vault secures the Vault unseal tokens with Azure's confidential computing. The unseal tokens are encrypted and accessible only to a secure enclave protected with the Intel® Software Guard Extensions (SGX) technology.

Running the Vault Unsealing process in an Intel® SGX enclave provides the following guarantees:

  • The Unseal Tokens needed to unseal Vault are securely stored in an encrypted configuration file by leveraging the Intel® SGX Data Sealing capabilities.
  • Unseal tokens are decrypted inside an SGX Enclave, which guarantees protection against any memory scraping attempts.
  • The Anjuna Unseal tool uses TLS to communicate with Vault, ensuring authenticity, confidentiality and integrity of all messages exchanged with Vault. TLS termination inside the secure enclave ensures end-to-end security for the unseal tokens.
https://store-images.s-microsoft.com/image/apps.35627.5cc97787-8f2e-4a18-bdc8-8ae135b92069.80e12676-9471-458e-ad3c-d015f9c5863a.e0d02ee9-c0cc-41b7-b89a-3867000f313f
/images/videoOverlay.png
https://store-images.s-microsoft.com/image/apps.35627.5cc97787-8f2e-4a18-bdc8-8ae135b92069.80e12676-9471-458e-ad3c-d015f9c5863a.e0d02ee9-c0cc-41b7-b89a-3867000f313f
/images/videoOverlay.png
https://store-images.s-microsoft.com/image/apps.35627.5cc97787-8f2e-4a18-bdc8-8ae135b92069.80e12676-9471-458e-ad3c-d015f9c5863a.e0d02ee9-c0cc-41b7-b89a-3867000f313f