Back to Details

vault

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

HashiCorp Vault

HashiCorp Vault

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, or certificates. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
Vault 是一款用于安全访问机密信息的工具。机密信息指的是任何你需要严格控制访问权限的内容,例如 API 密钥、密码或证书。Vault 为所有机密信息提供统一的访问接口,同时提供严格的访问控制并记录详细的审计日志。

When to Use

适用场景

  • Dynamic Secrets: Generating temporary AWS credentials (TTL 15m) for a specific task.
  • Encryption as a Service: Encrypting application data (Credit Cards) without the app managing the keys (Transit Engine).
  • Kubernetes Secrets: Injecting secrets into pods securely without Etcd.
  • 动态机密信息:为特定任务生成临时 AWS 凭证(有效期15分钟)。
  • 加密即服务:无需应用管理密钥即可加密应用数据(如信用卡信息)(使用Transit Engine)。
  • Kubernetes 机密信息:在不依赖 Etcd 的情况下,将机密信息安全注入到 Pod 中。

Quick Start (Dev Mode)

快速开始(开发模式)

bash
vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'
bash
vault server -dev
export VAULT_ADDR='http://127.0.0.1:8200'

Write a secret

写入机密信息

vault kv put secret/hello foo=world
vault kv put secret/hello foo=world

Read a secret

读取机密信息

vault kv get secret/hello
undefined
vault kv get secret/hello
undefined

Core Concepts

核心概念

Sealing

密封

Vault data is encrypted at rest. When Vault starts, it is "Sealed". Unsealing requires a threshold of keys (Shamir's Secret Sharing) to reconstruct the master key.
Vault 的数据在静态存储时已加密。当 Vault 启动时,处于“密封”状态。解封需要达到密钥阈值(基于Shamir秘密共享算法)来重构主密钥。

Engines

引擎

Modules that handle different types of secrets:
  • kv
    : Key-Value storage (static).
  • aws
    : Dynamic AWS IAM users.
  • pki
    : Dynamic x.509 Certificates.
处理不同类型机密信息的模块:
  • kv
    :键值存储(静态机密)。
  • aws
    :动态生成 AWS IAM 用户凭证。
  • pki
    :动态生成 x.509 证书。

Auth Methods

认证方式

How you log in to Vault: Token, AppRole (Machines), Kubernetes (Pods), GitHub (Humans).
登录 Vault 的方式:Token、AppRole(适用于机器)、Kubernetes(适用于Pod)、GitHub(适用于人员)。

Best Practices (2025)

2025年最佳实践

Do:
  • Use Auto-Unseal: Integrate with AWS KMS / Azure Key Vault to unseal automatically (Manual unsealing is painful for uptime).
  • Inject via Sidecar: In K8s, use the Vault Agent Injector to drop secrets into 
    /vault/secrets/config
    rather than calling the API directly.
  • Enable Audit Logs: Essential for knowing "Who read the database password?".
Don't:
  • Don't use Root Token: Generate it, configure auth methods, then revoke it.
  • Don't store huge files: Vault is for secrets (KB), not files (MB).
建议做法
  • 使用自动解封:与 AWS KMS / Azure Key Vault 集成以实现自动解封(手动解封对系统可用性来说非常繁琐)。
  • 通过Sidecar注入:在K8s中,使用Vault Agent Injector将机密信息写入 
    /vault/secrets/config
    ,而非直接调用API。
  • 启用审计日志:这对于追踪“谁读取了数据库密码?”这类问题至关重要。
禁止做法
  • 不要使用根令牌:生成根令牌、配置认证方式后,立即撤销它。
  • 不要存储大文件:Vault 用于存储机密信息(KB级),而非文件(MB级)。

References

参考资料