Skip to main content

Unseal Vault CE using Securosys Approver App

Vault utilizes Hardware Security Modules (HSM) to encrypt the unsealing key. Vault generates a decrypt request to the HSM when an approval policy is in place. This request is then sent to the Approval app. The Approver app utilizes a decrypting request to seal the process. The Approver app checks for any assigned tasks (decrypting requests) linked to the public key of the Approver app. While waiting for approval, Vault remains in a pending state, anticipating the response from the Approval app. Upon successful approval of the decrypting request, Vault proceeds with the next steps.

The Securosys Approver App can be found here.

seal "securosys-hsm" {
  key_label          = ""
  key_password       = ""
  tsb_api_endpoint   = "securosys_tsb_api_url"
  auth               = "TOKEN"
  bearer_token       = "tsb_api_token"
  check_every        = 5
  approval_timeout   = 200
  policy = <<EOF
  {
    "the_name_of_the_approver": "the_public_key_from_Securosys_approver_app"
  }
EOF
}

if key_label is not defined, then the Approver app will generate the key to HSM.

tip

To engage with the Approver App, it is necessary to modify your config.hcl file, adjusting both its policy and sealing fields as illustrated in the provided code snippet.

note

Upon initiating the HC Vault CE for the first time, you will receive the approval request on your Securosys Approver app. To initiate the vault, SSH into your Docker container and execute the command: vault operator init