1. AI Workflow Encryption Keys with Vault


    The goal of managing workflow encryption keys using Vault is to securely store and handle access to encryption keys that are essential for securing data within your applications or infrastructure. Vault by HashiCorp is a tool designed for securing, storing, and tightly controlling access to tokens, passwords, certificates, API keys, and other secrets in modern computing.

    To achieve this with Pulumi, you will make use of Vault's transit secrets engine which provides encryption as a service, generating data encryption keys that can be used to encrypt and decrypt data, manage the lifecycle of these keys, and more.

    In the sample Pulumi program below, we will create a Vault transit secrets engine and a key that can be used to encrypt and decrypt data.

    Here's a step-by-step explanation of the code:

    • We import Pulumi and the required Vault components.
    • We create a SecretBackend which initializes a transit secrets engine in Vault.
    • We then create a SecretBackendKey which is a named encryption key to perform cryptographic operations.
    • Finally, we export the name of the encryption key for reference.

    Let's take a look at the Pulumi Python program that performs these operations:

    import pulumi import pulumi_vault as vault # Initialize a new transit secrets engine for the Vault transit_backend = vault.TransitSecretBackend("transitBackend", description="Transit backend for encryption", default_lease_ttl_seconds=3600, max_lease_ttl_seconds=86400) # Create a named encryption/decryption key within the transit secrets engine transit_key = vault.TransitSecretBackendKey("transitKey", backend=transit_backend.path, deletion_allowed=True, exportable=True, type="rsa-4096", converge_encryption="true") # Export the name of the transit key so it can be used for encryption/decryption operations pulumi.export("transit_key_name", transit_key.name)

    In this code:

    • TransitSecretBackend initializes the transit secrets engine within Vault. We set both a default lease and maximum lease TTL for tokens and secrets issued under this backend.
    • TransitSecretBackendKey creates a new key within the transit backend. The type parameter indicates the type of encryption keys to generate; here we use RSA 4096-bit keys. You can choose other supported key types based on your need. Setting deletion_allowed allows for this key to be deleted from Vault later if it's no longer needed. exportable determines if the key is allowed to be exported from Vault. The converge_encryption will provide a single ciphertext for the same plaintext input, enhancing security for storage.

    By running this Pulumi program, you create the required setup in Vault to manage encryption keys for your workflows. You can call Vault's API to perform encrypt and decrypt operations using the transit_key_name.

    Remember that managing keys and secrets should be done with a strong understanding of security principles and access control, especially when it comes to encryption that is essential for securing sensitive data.