It's one of my least favourite things about vault as a product - it would have been technically feasible to not require unsealing for read-only operations, and thus not made a 2am restart a critical failure. I made a PoC once (I don't think it's still published anywhere) that does exactly this. Unfortunately they chose not to do this.
Admittedly simplicity is a feature in and of itself, and the read-only unsealing requires more complex asymmetric cryptography, but the excellent nacl[0] makes this a lot easier than it used to be.
I kid you not, the main reason we haven't implemented vault yet, is not because we're worried about security. It's because we're deathly afraid of locking ourselves out by making a mistake, taking the whole system down.
Meaning, this makes Vault more of a "let's really dedicate time to think of every possible scenario" type implementation rather than "let's just keep adding a couple of secrets a week".
It is possible to control both the number of key shares and the threshold required to unseal Vault (and now to do automatic unseal too), so I’m not certain this particular condition should be too much of a concern anymore. That said, considering as many scenarios as possible is definitely sensible!
I really do not understand your frustration. We are running 5 node cluster in production with the keepalived and nobody needs to wake up unsealing if one, or two instances fail. Perfectly good to do it in the morning by copy pasting curl oneliner from the keepass.
jfindley|7 years ago
Admittedly simplicity is a feature in and of itself, and the read-only unsealing requires more complex asymmetric cryptography, but the excellent nacl[0] makes this a lot easier than it used to be.
0: https://nacl.cr.yp.to/box.html
atonse|7 years ago
Meaning, this makes Vault more of a "let's really dedicate time to think of every possible scenario" type implementation rather than "let's just keep adding a couple of secrets a week".
What has other people's experiences been?
jen20|7 years ago
viralpoetry|7 years ago
ReidZB|7 years ago
That said, for most organizations, I've never been all that convinced that the multi-key-holder model provides much benefit.
viralpoetry|7 years ago