Using Hashicorp Vault Enterprise KMIP as VAST EKM

The steps for configuring HashiCorp Vault Enterprise KMIP for use with VAST are well documented in the HashiCorp Vault Enterprise documentation.

https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine

ℹ️ Info
Hashicorp Vault Enterprise is required in order to enable the KMIP Secrets Engine and thus to integrate with VAST as an External Key Manager at this time.

ℹ️ Info
At this time, Hashicorp Vault Enterprise does not offer a client/key browser of any kind. The data and metadata of the KMIP secrets engine are only available via the KMIP protocol.

Customers should follow the https://developer.hashicorp.com/vault/tutorials/policies/policies tutorial first to ensure that the Vault token you are working with is properly scoped to perform the KMIP tasks in this guide. Configuring Vault from scratch is outside the scope of this integration guide.

Example policy document from the Vault KMIP Guide:

# Work with kmip secrets engine
path "kmip/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# Enable secrets engine
path "sys/mounts/*" {
  capabilities = [ "create", "read", "update", "delete", "list" ]
}

# List enabled secrets engine
path "sys/mounts" {
  capabilities = [ "read", "list" ]
}

Beginning Integration

https://developer.hashicorp.com/vault/tutorials/enterprise/kmip-engine#enable-and-configure-the-kmip-secrets-engine

This guide picks up at the “Enable and configure the KMIP secrets engine” step of the Hashicorp KMIP tutorial. Steps are numbered for the Web UI version of that tutorial.

Open a web browser, navigate to the Vault UI and then login.
Select Enable new engine.
Select KMIP from the list, and then click Next.
Click Enable Engine to complete. This sets the path to be kmip.
1. The “Path” is determined by the Vault Administrator.
2. It is not used in VAST’s integration, so any value is acceptable. It is not necessary to create a separate KMIP Secrets Engine for VAST, as a single KMIP endpoint can be partitioned using Scopes later.
3. Why would you want to use multiple Secrets Engines? Different Secrets Engines can receive different listening IP addresses or ports. If the Vault Administrator needs to partition based on network address, consider using multiple Secrets Engines.
Select the Configuration tab, and then click Configure.
Set the Listen addrs value to 0.0.0.0:5696, and leave the rest as their default values.
1. Collect the Listen addrs chosen for VAST’s use. If 0.0.0.0:5696 is chosen, then collect all of the IP addresses that Hashicorp Vault is configured to use.
2. It is acceptable for the Vault Administrator to create a DNS name in their DNS service to point to the relevant addresses. Unlike VAST, there is no functionality within Vault to serve the DNS name dynamically, so care must be taken to ensure DNS names are kept updated.
VAST: A few entries here to note:
1. VAST prefers RSA keys used for the TLS Client Key and the TLS CA Key, however EC keys are fine as well, if this KMIP Secrets Engine is used for other purposes.
2. KMIP is not a high-traffic protocol, so using higher security settings can be generally recommended, as the overhead will be negligible. Thus, setting TLS Client Key bits and TLS CA Key bits to 4096 would be best practice.
3. “Server Hostnames” is a list of DNS names that the server’s certificate will receive. If DNS is being used, ensure all possible DNS names that the KMIP server will use are listed here.
4. The default value shown in “Default TLS Client TTL” is 14 days. This is just the default. Since VAST does not automatically periodically refresh the client TLS certificate, it may be desirable to set this to a higher value, such as 397 days. When setting TTL, be sure to double-check that the “days” unit is selected. It’s very easy to accidentally set it for 397 seconds.
Click Save.
Click Download CA cert and save it as ca.pem for this demonstration.
1. This will be used in the VAST integration later. FYI: Certificate Authority certificates are not typically considered secret material because they only contain a Public Key, not a Private Key.

Create scopes and roles

In the UI, select kmip under Secrets.
Select Create a scope.
Enter finance in the Name field, and click Save.
1. VAST Note: The scope name is again not used in VAST’s integration, but the Vault administrator should consider naming the scope in some way that references the VAST cluster, such as with the same name of the specific VAST Cluster this scope will be applied to.
Select the newly created scope, and click Create a role.
Enter accounting in the Name field. Allow this role to perform all operations should be enabled.
VAST Notes:
1. The Role name is again not used in VAST’s integration. Using a name such as “Cluster KMIP Access” may be advised, to differentiate the Role from one that may be created later with different permissions, such as to only browse keys.
2. For Allowed operations, simply ensure that “Allow this role to perform all operations” is checked. Since the VAST should be the only user of this Scope, there is no risk of “blast radius” to keys or other KMIP objects that are used by another service.
3. If for security/compliance purposes, it is required to lock this down as much as possible:
  1. Managed Cryptographic Objects, Object Attributes, and Server: Select all operations.
  2. Other: Select “Get Attribute List”. “Encrypt”, “Decrypt”, “Modify Attribute”, “Query”, and “Register” are not used today, but will likely be needed for future enhancements to KMIP integration in VAST, so are highly recommended.
4. Another section for TLS certificate configuration is present here. It is highly recommended to choose:
  1. TLS Client Key bits: 4096
  2. TLS Client Key type: RSA
  3. TLS Client TTL: 397 days
    1. When setting TTL, be sure to double-check that the “days” unit is selected. It’s very easy to accidentally set it for 397 seconds.
Click Save.

The image depicts a configuration screen for defining allowed operations permissions in a cryptographic management system, where users can select specific actions such as Create, Activate, and Decrypt to manage cryptographic objects. Additionally, it includes options for managing object attributes like Add Attribute, Modify Attribute, and Query, along with server-specific functions such as Discover Versions and Rng Retrieve. — Managed Cryptographic Objects

The configuration settings for TLS on this platform include specifying 4096 bits for TLS Client Key and selecting RSA as the key type, with an option to set a client certificate TTL lease expiration after 397 days. — TLS Client Key bits

Client certificate generation

Under Secrets, select kmip > Your Scope > Your Role in the UI.
Select Generate credentials.
The Certificate format is set to pem.
Click Save.
Select Copy certificate to copy the generated certificate. Save it in a file named, cert.pem.
1. The Client Certificate is not sensitive.
Click on the copy to clipboard icon to copy the private key. Save the copied private key in the cert.key file.
1. The Private Key is sensitive information. Keep it secret, keep it safe.
Select Back to role and notice that the serial number of the client certificate you just generated is listed. Copy the serial number.
1. VAST: Integration does not use the serial number. In the guide, this is kept in order to show the process for revoking a certificate.

VAST Configuration

KMIP may be configured at cluster deployment time, or for 5.4 or later, during normal operation. If the KMIP integration occurs after deployment, the cluster must already have encryption enabled before KMIP can be configured.

VAST requires:

KMIP IP Address(es) and Ports (e.g. vaultkmip.example.com:5696)
Client Certificate
Client Key
CA Certificate

These can be entered directly into the VMS.

The configuration screen allows users to choose between encryption-only or encryption with DBox HA options, and it provides fields for entering external Key Management Server addresses and certificates for secure key management. — KMIP settings in VMS