README.md

Vault Transform Secrets Engine with YugabyteDB Demo

This demo application demonstrates data protection capabilities of vault with YugabyteDB. Application shows multiple capabilities available for masking, encrypting and tokenizing data.

In this demo, YugabyteDB and Vault together solve 2 key issues:

1. Protect against credential exposure by using short lived, dynamic credentials.
2. Protect again data exposur in case of exfiltration

Demo Architecture

• demo-ui is a simple single page application built with Spring Boot
• demo-api is a Spring Boot application that exposes a REST API for the demo-ui.
  • It calls the Vault agent to transform sensitive data and store the transformed data in MySQL
  • It uses the Spring Cloud Vault library to integrate with the Vault API, i.e. to retrieve dynamic database credentials.
• Vault agent act as a sidecar proxy here to retrieve secrets from Vault.
  • Auto-auth is used to handle the login to Vault and the renewal of the Vault auth token. Using auto-auth removes the responsibility of managing the auth token from the client application, making it easier for application to consume Vault’s API.
  • Vault agent is optional in this case since Spring Cloud Vault library has the ability to authenticate to Vault.
• On the Vault server side 3 secrets engines are enabled: database, transform, and transit
  • The database secrets engine integrates with MySQL to generate dynamic DB credentials for the demo-app
  • The transform secrets engine is configured to use MySQL as an external token storage for tokenization
• YugabyteDB is setup with YSQL. A demo database is created on it to store tokenized data. You can use any postgres compatible tool and connect on port 5433 to access SQL interface.

Prerequisites

• Vault Enterprise License - Contact Hashicorp for a trial license
• Local demo
  • Docker Desktop
• Cloud based demo
  • Gitpod account - easy signup with github account

Gitpod based demo

Setup license variable (one-time)

1. Open Gitpod / User Settings / Variables
2. Click on New Variable button on top right
3. Fill up following on the New Varible window and click Add Variable
   1. Name: VAULT_LICENSE
   2. Value: <put your own vault license value here>
   3. Scope: yogendra/vault-transform-demo (or your own forked repo name)
4. Now you can launch gitpod workspace by clickin buton below

Local demo

export VAULT_LICENSE="....."
git clone https://github.com/yogendra/vault-transform-demo.git
cd vault-transform-demo
bin/demo prepare
bin/demo start

bin/demo prepare is optional. But if you encounter error in the demo start due to error in connecting to alpine repo urls, you can use prepare to pull pre-built image.

Access Consoles:

• Demo UI
• Vault
  • Username: admin
  • Password: passw0rd
• YugabyteDB UI
  • Database: demo
  • Username: demo
  • Password: passw0rd
  • Super User: yugabyte
  • Super User Password: yugabyte
• SQL Console
  • Username: admin
  • Password: passw0rd

Useful commands

Useful Commands
===============
bin/demo apps-start        - start infra containers
bin/demo add-sample-data   - add sample data
bin/demo build-containers  - build containers
bin/demo help              - this screen
bin/demo dc                - run docker-compose commands
bin/demo infra-start       - start infra containers
bin/demo prepare           - prepare for demoe. pull images for running demo
bin/demo sample-data-clear - clear sample data
bin/demo sample-data-show  - show sample data
bin/demo sample-data-add   - add sample data
bin/demo start             - start infra and apps
bin/demo stop              - stop demo containers
bin/demo vault-shell       - vault shell
bin/demo watch             - look are container logs
bin/demo ysqlsh            - start the YSQLSH shell
bin/demo yugabtyedb-shell  - yugabytedb shell

Reference

• YugabyteDB Documentation
• Vault Transform Demo
• Vault Transform Tutorial
• Vault Tokenization Tutorial
• Vault Transform Secrets Engine API
• Vault Demo by Nicholas Jackson
• Spring Cloud Vault