I have made several searches to secure all the sensitive data in the application.properties
and finally concluded to use Spring Cloud Vault by HashiCorp.
As far as I see, I can keep all the secrets, etc., as key-value pairs in this mechanism. However, I could not be sure and understand the following points. Could you help me pls?
While keeping all the sensitive data in Vault, I think we need to provide a token in the Spring Boot app to access this data. So, for a production environment, suppose that I send the app to the customer, then should they provide this token via environment variables? Or are there any other alternatives that are secure also?
How the app uses the secrets kept in Vault? Does it retrieves them whenever it needs or retrieve at the startup and then keep them in memory, etc., in the server or Docker container (based on the config)?
Vault tokens should to be injected as environment variables. If you have a platform like k8 or OpenShift the Vault token itself can be stored as a secret.
Springboot loads the secrets from Vault at startup.
Here is a snippet of our DeploymentConfig template file:
kind: DeploymentConfig
spec:
strategy:
spec:
containers:
- name: {{ .Release.Name }}
env:
- name: VAULT_API
valueFrom:
secretKeyRef:
name: global-secrets
key: vaultapi
- name: VAULT_TOKEN
valueFrom:
secretKeyRef:
name: global-secrets
key: vaulttoken