Vault Unseal Key
Bridgecrew Policy ID: BC_GIT_71
Chekov Check ID: CKV_SECRET_71
Severity: LOW
Vault Unseal Key
Description
When a Vault server is started, it starts in a sealed state. In this state, Vault is configured to know where and how to access the physical storage, but doesn't know how to decrypt any of it. Unsealing is the process of obtaining the plaintext root key necessary to read the decryption key to decrypt the data, allowing access to the Vault.
Fix - Buildtime
Vault
Step 1: Revoke the key
- Connect to Vault
- Run
vault operator key revokefollowed by the number, such asvault operator key revoke 2 - Verify it was revoked with
vault operator key status
Step 2: Monitor for abuse
Updated 10 months ago