Runtime Protection for Vault and Consul

Anjuna presented as part of the first HashiTalks online event—A 24-hour continuous series of presentations from the worldwide HashiCorp User Group (HUG) community and from HashiCorp engineers as well. The event took place from February 21-22, 2019.

The session explored our Runtime Security solution based on secure enclaves, such as Intel Software Guard Extensions (SGX). While there is tremendous promise in Intel SGX, adoption so far has been limited to very specific products where development teams were able to put in significant engineering effort to secure small (and sensitive) parts of their applications. Moreover, the lack of straightforward interoperability with modern high-level languages like Go further limits the usability of Secure Enclaves.

In this talk, we demonstrated a way to secure HashiCorp Vault from attackers that have complete control of the host server, by loading the application into a Secure Enclave. The user experience remains unhindered since all APIs and interaction with the Vault server remain as they were. Lastly, the talk will explain how to establish trust between the protected Vault instance and remote Vault clients using an attestation mechanism that is elegantly integrated into HTTPS.