Signchain Docs

Home>Vault>Security Best Practices

Security Best Practices

Ensuring the security of the Signchain Self-hosted Vault is essential to protect sensitive data and private key information. This guide outlines best practices for configuring and maintaining a secure Signchain Vault environment.

1. Secure the VAULT_AUTH_SECRET_KEY

The VAULT_AUTH_SECRET_KEY environment variable is used to authenticate requests between your backend and the self-hosted vault. To maximize security:

  • Use a high-entropy secret key: Generate this key using secure methods, such as a SHA256 hash or a tool like OpenSSL. Avoid simple strings or predictable keys.
  • Store the secret securely: Ensure that VAULT_AUTH_SECRET_KEY is not exposed in public repositories or logs and is only accessible by the Vault container.

2. Enable TLS for Secure Communication

TLS (Transport Layer Security) is crucial for protecting data in transit:

  • Use HTTPS: When deploying in production, use HTTPS by configuring Traefik or another reverse proxy to handle SSL termination.
  • Disallow insecure HTTP: Set VAULT_INSECURE_HTTP=false to prevent the vault from accepting insecure connections, unless you are certain that your Vault is fronted by an SSL Gateway, and no one can intercept plaintext HTTP traffic between your SSL Gateway and your Self-hosted Vault instance.

3. Control Access to the Vault API

Limit access to the Vault API to authorized users and services:

  • Network restrictions: Use firewall rules or security groups to restrict access to the Vault API to trusted IPs or networks.
  • API Key authentication: Ensure that all requests to the Vault API are authenticated using Vault Keys and the X-Vault-Auth-Signature header to prevent unauthorized access.

4. Rotate Keys Regularly

Regularly rotate any keys used for accessing and operating the Vault:

  • Vault keys: Rotate the keys configured in VAULT_KEY on a scheduled basis. Update the dashboard and other connected services accordingly.
  • Secrets rotation: Periodically change the VAULT_AUTH_SECRET_KEY and update all authorized backend systems.

5. Limit Privileges on the Dashboard

Only grant necessary permissions to users and systems accessing the vault:

  • Use specific roles: Assign appropriate roles for accessing specific vault functions. For example, use Read-Only roles for users who only need to retrieve data.
  • Audit access: Regularly review the list of users with access to the Vault and adjust roles or permissions as needed.

6. Log and Monitor Vault Activity

Logging and monitoring can help detect potential security issues early:

  • Enable logging: Configure your Vault environment to log access requests and errors for auditing purposes.
  • Use monitoring tools: Implement monitoring and alerting on Vault access patterns to detect unusual activity.

7. Apply Container Security Practices

Since the Vault runs in a Docker container, apply best practices for container security:

  • Use trusted images: Always pull the Signchain Vault image from the official source (ghcr.io/grexie/signchain-vault:latest).
  • Update images regularly: Keep the Vault container updated to ensure the latest security patches are applied.
  • Isolate containers: Run the Vault container in an isolated network to limit exposure and reduce risks.

Conclusion

Implementing these best practices helps protect your Signchain Vault instance against unauthorized access and potential attacks. Always remain vigilant and proactive with security measures to keep your environment safe.

For more information on specific configuration details, refer to other sections in this documentation, such as Installation & Setup and Environment Variables.