Using Vault to store LUKS keys – Conclusion
Firstly, this was a really fun experiment which has ended up with a working solution. There is still a lot of work to do on this before it should be considered anywhere near “Production Ready”. Off the top of my head, here is what i believe needs working on
- SSL/TLS all the things. This is an easy low-hanging fruit.
- Already Started working on this, see this post on generating LetsEncrypt certs for you internal services using
- Better understanding of ACL’s and policies – I feel that while there isnt any obvious gaping holes, they could be a bit tighter
- Only allowing each host access to their own path and keys – Perhaps an ACL which controls access by /32
- Double check firewall rules for consul agents. I guessed at what was required.
- Automation – While i have managed to put my clusters across different hardware nodes, it would be nice to be able to quickly spin up new replacements.
There may be more to add to this list. But as it stands this is what i feel will really make this a viable solution. I already plan on rebuilding my Bitwarden NUC using this solution.
I have looked at Hashicorp Sentinel to perhaps work on the ACL / Policy side of things, but this looks to be an enterprise only feature. I have reached out to them for the cost of a single user license for non-production / no support use. Hashicorp got back to me, they wont sell personal licenses, and according to the chap i was speaking with he doesnt believe sentinel will ever be available outside of the enterprise versions.
For ease, here are links to each post in this series:
- Part Zero – Hardware and software overview
- Part One – Setting up the Consul cluster
- Part Two – Setting up the Vault Servers
- Part Three – Getting started with Vault
- Part Four – Setting up Vault for our LUKS Keys
- Part Five – Vaultlocker and Testing!
I also think that once again its worth noting im in no way an expert on this, so any obvious errors or misconceptions – please let me know!