AI Workflow Encryption Keys with Vault

Question

Pulumi · Accepted Answer

The goal of managing workflow encryption keys using Vault is to securely store and handle access to encryption keys that are essential for securing data within your applications or infrastructure. Vault by HashiCorp is a tool designed for securing, storing, and tightly controlling access to tokens, passwords, certificates, API keys, and other secrets in modern computing.

To achieve this with Pulumi, you will make use of Vault's transit secrets engine which provides encryption as a service, generating data encryption keys that can be used to encrypt and decrypt data, manage the lifecycle of these keys, and more.

In the sample Pulumi program below, we will create a Vault transit secrets engine and a key that can be used to encrypt and decrypt data.

Here's a step-by-step explanation of the code:

- We import Pulumi and the required Vault components.
- We create a `SecretBackend` which initializes a transit secrets engine in Vault.
- We then create a `SecretBackendKey` which is a named encryption key to perform cryptographic operations.
- Finally, we export the name of the encryption key for reference.

Let's take a look at the Pulumi Python program that performs these operations:

```python
import pulumi
import pulumi_vault as vault

# Initialize a new transit secrets engine for the Vault
transit_backend = vault.TransitSecretBackend("transitBackend",
    description="Transit backend for encryption",
    default_lease_ttl_seconds=3600,
    max_lease_ttl_seconds=86400)

# Create a named encryption/decryption key within the transit secrets engine
transit_key = vault.TransitSecretBackendKey("transitKey",
    backend=transit_backend.path,
    deletion_allowed=True,
    exportable=True,
    type="rsa-4096",
    converge_encryption="true")

# Export the name of the transit key so it can be used for encryption/decryption operations
pulumi.export("transit_key_name", transit_key.name)
```

In this code:

- `TransitSecretBackend` initializes the transit secrets engine within Vault. We set both a default lease and maximum lease TTL for tokens and secrets issued under this backend.
- `TransitSecretBackendKey` creates a new key within the transit backend. The `type` parameter indicates the type of encryption keys to generate; here we use RSA 4096-bit keys. You can choose other supported key types based on your need. Setting `deletion_allowed` allows for this key to be deleted from Vault later if it's no longer needed. `exportable` determines if the key is allowed to be exported from Vault. The `converge_encryption` will provide a single ciphertext for the same plaintext input, enhancing security for storage.
  
By running this Pulumi program, you create the required setup in Vault to manage encryption keys for your workflows. You can call Vault's API to perform encrypt and decrypt operations using the `transit_key_name`.

Remember that managing keys and secrets should be done with a strong understanding of security principles and access control, especially when it comes to encryption that is essential for securing sensitive data.