0

I've been going through Vault documentation and I'm still not sure if I understand it correctly on which approach to take for my problem.

Imagine having an entity called Example. It has multiple fields, such as name, created, etc. and amongst these fields which are sensitive, such as password, secret_key.

@Entity
@Table(name = "example")
public class Example { 
  private String name;
  private Date created;

  ...

  @Convert(converter = SomeConverter.class)
  private String password;
  @Convert(converter = SomeConverter.class)
  private String secretKey;
}

This entity is stored in an SQL database (e.g. PostgreSQL). Now my goal is to have the password secure (hence the converter class), but the rest of the data not.

Is it possible to store entity data in DB, while keeping the sensitive data stored in Vault (in whatever storage behind it)? So when I'd be loading the entity both entity data would be loaded from DB and sensitive data from Vault.

Or would the correct (and only viable) approach be to just use the encryption/decryption converter from Vault and store it in the same database? And limit this with authentication with Vault.

I'm just confused if Vault in general should only be used for static secrets in this case.

TilenA
  • 36
  • 9
  • 1
    So basically what you can do is to: 1. Store everything in Vault or 2. just the necessary things then you can go for the `VaultRepository`: https://docs.spring.io/spring-vault/docs/2.2.2.RELEASE/reference/html/#vault.repositories or 3. don't store any of the info in Vault but everything in another store and use Vaults Transit Encryption Service: https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-transit But that all really depends on the use case. – daniel.eichten May 05 '20 at 10:23
  • Doesn't Vault Repository allow you to do those operations on the whole class, and not just part of the entity? – TilenA May 06 '20 at 04:27
  • Let's say my goal is to move sensitive data of existing entities/classes (which are already getting encrypted using @Convert, but not by best standards - key is in the source code) to a more secure location (vault), or encrypt them using the vault. Maybe using EaaS would be good enough? Since from what I understand Vault is better used for secrets (such as keys) and not specifically whole objects - not all of the data in the entities is sensitive. – TilenA May 06 '20 at 04:32
  • In this case I'd use EaaS from Vault using the `VaultTemplate` and store the encrypted and unencrypted attribute in a classic database. – daniel.eichten May 06 '20 at 08:05

2 Answers2

1

I'd say, it's upto you/business.

You may store the entire entity(object) into vault or only a string.

See if this helps: https://www.baeldung.com/spring-vault

Atul Kumar
  • 421
  • 3
  • 12
  • But that's the thing, most of the examples show storing whole object, but what I'm wondering is if I could store just parts of it? Or is that only possible with encrypt/decrypt and that's it. – TilenA May 05 '20 at 09:11
0

Don't store everything to vault as secret, you can store password but I don't thing that's advisable for a general user(in your case entity seems to be application user). Use their transit secret engine and encrypt the data and store in any DB, you can back DB access with vault authentication.

In case you want to store password in secret engine, you can do that but you will need a service class which will fetch the password from vault before performing any operation.

Ravenloup
  • 46
  • 6