Vault is our encryption management service. It handles the full lifecycle of encrytion keys and allows you to encrypt and decrypt secrets. It does not store the secrets themselves.

Vault compiles to a single binary that can be run inside a container and requires an s3 compatible storage backend to store data.

Features

  • Encryption: Encrypt and decrypt secrets
  • Key Management: Supports multiple keyrings, key rolling and secret re-encryption.
  • HTTP API: Exposes an HTTP API via buf connect to interact with the service.

Flow

Q/A

Why does vault not store secrets?

Putting all of your secrets alongside with the encryption keys opens up a security risk. If an attacker gains access to the system, they can easily decrypt all of the secrets. By separating the encryption keys from the secrets, we can ensure that even if the attacker gains access to one system, they still can’t do anything.

  • Encrypted secrets are stored in our main database.
  • Encryption keys are encrypted and stored by vault.
  • Only vault can decrypt the encryption keys and never hands out encryption keys to the outside world.

Why a container and not cloudflare workers?

This once again comes down to caching

Was this page helpful?

ErrorsProfiling