# What you'll learn

After watching this video, you will be able to: 
* Describe secrets management.
* Describe Vault.
* Identify the four stages of Vault.

# What is secret management?

* Secrets management is storing and managing any items that must be kept secret.
* Either on-premises or in the cloud, you must secure secrets to protect your code from possible attacks.
* Examples of secrets are **passwords**, **certificates**, and application programming interface (or API) **encryption keys**.
* You can store these assets using a secrets management solution to manage and integrate with your applications and databases.

# Challenges in storing secrets

To store secrets, you are going to face several challenges.

* Specifically, you must develop code to handle various accessibilities like:
    * Database access for interacting with middleware applications and code.
    * Service-orientated architecture messaging (or SOA) messaging for communicating with decoupled applications.
    * If you are developing a cloud-based application, cloud-based services will require your attention.
* Auditing and logging are essential to monitor and track who is accessing which resources.
* You must make your storage secure from attackers.


# What is vault?

So, **how can you deal with these challenges?**
* A tool that you can use is Vault.
* Developed by Hashicorp, **Vault** is a token-based storage solution for managing secrets.
* To access Vault, the user is assigned a token or creates their own token.
* Vault provides policies that constrain user access and privileges when users interact with a Vault server.
* Vault offerings come in three flavors.
    * **Open source, self-managed Vault** is ideal for new developers and small organizations to download and test.
    * This solution helps you learn how to run and manage Vault.
    * Next, the **enterprise solution** is also self-managed and can be customized for custom deployments.
    * The third offering is a **cloud-managed solution**.
    * Hashicorp manages this solution in the cloud as a software-as-a-service (or SaaS) solution.

# Why use vault?

![image.png](attachment:cd6c30de-13bb-45a7-98d7-ef0f10f4c892.png)

Four benefits of using Vault as a secrets management tool are: 
* Vault provides key management that centralizes management of cryptographic keys and other secret assets.
* Next, Vault provides an encryption-as-a-service (or EaaS) solution by encrypting the written data that is stored.
* Next, Vault can secure multiple databases at a time by implementing database credential rotation.
* Database credential rotation assigns and rotates database credentials, which improves security.
* Vault helps you manage and store secrets when you are developing code such as secure sockets layer (or SSL) certificates for on-premises or in the cloud.

# Vault's four stages

![image.png](attachment:3b7fdd1d-518b-48c6-b131-8ec21f3c86ae.png)

Okay, so Vault has four stages of security.

* **Authentication**: 
    * Users must be authenticated with a system, either internal or external, before they can interact with Vault.
    * This extra measure increases the security for accessing stored secrets.
    * When the user has been authenticated, Vault issues them a token, which they can use to establish a session.
* **Validation**: A trusted third party supports the step of validating a user's credentials.
* **Authorization**: To authorize the session, Vault matches security policies with the appropriate users.
* **Access to Vault**: The user is granted access to secrets according to policies that have been established and assigned to them.

# Storage methods

![image.png](attachment:be2c387f-ad45-42cb-b1e9-56fb195a1929.png)

To interact with Vault to store and manage secrets, you can use one of three common methods.

These methods are: 
* Graphical user interface (or GUI), 
* Command line interface (or CLI) 
* Hypertext transport protocol application programming interface (or HTTP API).

![image.png](attachment:a9ade633-c30a-47a4-9141-92e9d377a1d4.png)

So, you can use a web-based GUI to authenticate, unseal, and manage policies and secret engines.
* To enable the GUI, simply set the ui configuration to **`true`** in the Vault server configuration.
* Also, you must have at least one listener address to access the GUI here and a defined port.
* In this case, Vault is running on localhost port **`8200`**.
* In this example, the GUI is accessible via **`https://127.0.0.1:8200/ui`**.

![image.png](attachment:8a9b4041-fb98-4ce7-ab05-51874e037953.png)

You can also access Vault from the command line interface or (CLI).
* After downloading and installing Vault on your local machine, start the vault in development mode with the default configurations by running: **`$ vault server –dev &`**
* This command runs the Vault server in the background so you can use the Vault commands.
* The command structure is Vault commands followed by options, then paths, and lastly arguments.

![image.png](attachment:7de48ab2-d55c-448b-a5d6-ac6bd2e429a4.png)

* The entire Vault server is accessible via HTTP API using the prefix **`/v1/`**.
* Because a client token is necessary to operate Vault, a client token must be sent to the user using the **`X-Vault-Token`** HTTP Header and a Bearer token.
* Once a token is received, to retrieve the secret for **`alice`** on a Vault server running on the localhost port **`8200`**, you can run this curl command.

# Writing a secret to new install

![image.png](attachment:6bf7311e-77cf-4b27-89f7-8e8ed06bfdf0.png)

When you install and start a Vault server, you can start writing a secret.
* This example shows how to write a secret in Python to a newly installed and running Vault server.
* The first line that begins with a hash symbol is a comment statement.
* The comment states that a write contains a key/value pair under the path **`secret/myapp`**.
* The next line of code creates a response.
* It makes a call to the vault API’s **`create_or_update_secret()`** function, passing in a **`path`** parameter set to **`myapp`** and a **`secret`** parameter set to a dictionary with the key **`alice`** and value of **`mypassword`**.
* It stores the return in a variable called **`response`**.
* So, you make a comment and create a response with the secret.

# Reading a secret

![image.png](attachment:96fe1d56-b679-4c43-adc0-dc5345443b84.png)

Now, here's an example for reading a secret from Vault.
* Again, the code you are using is Python.
* The first line which begins with a hash code is simply a comment for reading the data written under the path **`secret/myapp`**.
* The next line of code calls Vault's API **`read_secret_version()`** function passing in the parameter **`path`** with a value of **`myapp`** and stores the result in **`read_response`**.
* This line retrieves the secret by requesting the path `myapp` and then printing Value under path **`secret/myapp`** using **`alice`** as the key.
* The printed response is: **`Value under path "secret/myapp" / key "alice": mypassword`**, which is for retrieving the value associated with **`alice`**, which is **`mypassword`** with formatting.

# Summary

In this video, you learned that: 
* Secrets management is storing and managing items like passwords that must be kept secret.
* Challenges in developing code include accessibilities, auditing and logging, and security.
* Vault is a token-based solution for storing secrets.
* The four stages of Vault are **authenticate**, **validation**, **authorize**, and **access**.