Unsealing with Securosys Approver App
Vault utilizes Hardware Security Modules (HSM) to encrypt the unsealing key. Vault generates a decrypt request to the HSM when an ska policy is in place. This request is then sent to the Approval app. The Approver app utilizes a decrypting request to seal the process. The Approver app checks for any assigned tasks (decrypting requests) linked to the public key of the Approver app. While waiting for approval, Vault remains in a pending state, anticipating the response from the Approval app. Upon successful approval of the decrypting request, Vault proceeds with the next steps.
HashiCorp Vault uses Hardware Security Modules (HSMs) to encrypt the unsealing key.
When an approval policy is in place, a decrypt request is generated and sent to the Approval app.
The Approval app processes the decrypt request by checking for any pending tasks linked to its public key. While the approval is pending, Vault remains in a waiting state, awaiting the response from the Approval app. Once the decrypt request is approved, Vault proceeds with the next steps in the process.
The Securosys Approver app** can be found here.
seal "securosys-hsm" {
key_label = ""
key_password = ""
tsb_api_endpoint = "securosys_tsb_api_url"
auth = "TOKEN"
bearer_token = "tsb_api_token"
check_every = 5
approval_timeout = 200
policy = <<EOF
{
"the_name_of_the_approver": "the_public_key_from_Securosys_approver_app"
}
EOF
}
If key_label is not defined, then the Approver app will generate the key to the Hardware Security Module (HSM).
To start using the Approver app, it is necessary to modify your config.hcl file, adjusting both its policy and sealing fields as illustrated in the provided code snippet.
Upon initiating the HashiCorp Vault Community Edition for the first time, you will receive the approval request on your Securosys Approver app. To initiate the vault, SSH into your Docker container and execute the command: vault operator init