Project:Infrastructure/Hashicorp

Vault
Vault stores secrets in a backend. The current backend is Consul. Vault needs to be unlocked with a master key. Currently the key is split using Shamirs Secret Sharing, all 5 pieces are in the secrets repo. Whenever vault is restarted, we have to unseal; this is currently a manual operation.


 * 1) TODO(antarus): Write procedure for this.
 * 2) Decrypt master key by getting 3/5 SSS keys out of secrets repo.
 * 3) unseal with master key.

Open discussion point one: If we adopt vault for more operations, do we need to implement auto-unsealing? What questions should we be asking here?

Alec's Vault Questions
Basically as long as Vault is not needed for user facing services for some time period (e.g. if vault is down we can serve users for at least 24h) then I'm happy with manual unsealing. I don't care if say, we cannot monitor or deploy if vault is closed...we can wait O(hours) to unseal.