HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework
Well-Architected Framework Home

Protect data at rest

Data at rest represents any data you maintain in non-volatile storage in your environment. Encrypting data at rest and implementing secure access to your data are two ways you can protect your applications from security threats. Encrypting data at rest may include encrypting individual files using pretty good privacy (PGP), using server side tools such as transparent data encryption (TDE) in Microsoft SQL Server, or enabling encryption in your storage services such as Amazon S3 or on a physical storage array such as the IBM Storage FlashSystem.

Why should you protect data at rest?

Most people think of securing data while in transit or actively in use. However, data needs to be protected in all phases of the data life cycle, including when data is not actively in use. Data needs to be protected during the storage, and backup, stage of the data life cycle. While many people think backup tapes are a thing of the past, tape backup is still a common backup media. For example, a major bank lost an unencrypted backup tape containing customers' social security numbers and bank account information. Even modern backup processes are vulnerable, exposed datasets written to cloud storage are now a common industry headline.

Protecting data at rest, like protecting data in transit, requires a defense in-depth approach to ensure your sensitive data is not accessible unless a person or system is authorized to access the data. If encryption is only used in transit, or used on the storage backend, the data is still vulnerable. Many major online storage services offer encryption. The data, however, is generally unencrypted with a basic username and password authentication system, leaving the data readable using common attack vectors such as brute force attacks or phishing scams. Encrypting the data and encrypting the storage service are both critical steps to ensuring the data is secure.

Protect data at rest with Vault

Vault uses a security barrier for all requests made to its API endpoints. This security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces. Vault's barrier encrypts your data and Vault stores only encrypted data regardless of configured storage type. Whenever you use a Vault secrets engine, such as the Key/Value (KV) secrets engine, you also gain the benefits of Vault's cryptographic barrier. You (or your application) must authenticate with Vault to receive a token with attached policies that authorize access to data stored in a secrets engine.

You shouldn't store large volumes of secrets in Vault. Instead, you should store the secrets in a database, encrypt the database, and store the encryption key in Vault.

For example, when working with a Microsoft SQL Server using Transparent Data Encryption (TDE), your database already encrypts data using a Data Encryption Key (DEK). Rather than moving all that data to Vault, you should store the Key Encryption Key (KEK) in Vault's KV secrets engine. This KEK encrypts the DEK, which in turn encrypts your database content. This approach leverages Vault's strong security features for the most sensitive component (the encryption key) while enabling your database to efficiently manage the encrypted data.

When you control access to data, you gain another layer of data protection. Vault can secure access to your external data at rest through dynamic credentials. These dynamic credentials have a lifecycle attached to them, and Vault automatically revokes them after a predefined period of time. We recommend using dynamic secrets when accessing your external data.

For example, you can use Vault to issue your CI/CD pipeline dynamic credentials to an external service, such as a PostgreSQL database. Dynamic secrets allows your CI/CD pipelines to access your data at rest, and then once the pipeline finishes, Vault revokes the credentials. The next time your pipeline runs, Vault issues your pipeline new credentials.

HashiCorp resources:

  • Learn to use Vault dynamic secrets
  • Learn to use versioned key/value secrets engine
  • Read how to retrieve CI/CD secrets from Vault.
  • Read the Vault's Key/Value (KV) secrets engine documentation
  • Enable transparent data encryption for Microsoft SQL with Vault

External resources:

Next steps

In this section of how to Secure data, you learned about how to secure and encrypt data at rest using HashiCorp Vault. Protect data at rest is part of the Secure systems pillar.

Edit this page on GitHub