Comments (11)
@MadsRC I agree, swapping is counter-productive, which is why we attempt to mlock
by default. In situations where that can't be done (no OS support, non-root user, etc), you can disable swapping at the system level. I don't think disabling swap is particularly bold.
from vault.
@ketzacoatl You could potentially be leaking secrets yes. There is very little data that is cleartext in memory, but anything that is currently in the request path being processed as well as the master encryption keys are necessarily in clear text. The majority of data is LRU caches of the physical backend, and all that data is still encrypted in memory. There is also the GC to consider, as previously decrypted data may be unused but still paged in.
from vault.
This is a painful one in Go in general. See: golang/go#1435
Basically there is no easy way to "setuid" down from root. The simplest way is to disable mlock and run at a lower privilege.
from vault.
That is rough. @armon, can you help me understand the implications of disabling mlock?
from vault.
Using mlock
prevents pages from being swapped to disk, effectively "locking" virtual memory into physical memory. This requires root privilege to invoke (at the syscall level), so a non-root user must disable that feature.
However, if you disable swapping entirely (pretty standard practice for production servers), then the OS should never swap to disk anyways.
from vault.
Thank you for the explanation!
from vault.
Swapping to disk would be counter-productive to what Vault tries to accomplish? If Vault swaps, you risk writting data to persistent local storage that is not yet encrypted, or did I miss something?
Saying that disabling swap on production server is "pretty standard" is kinda bold, don't you think?
I mean, it really depends on what you are running. In some cases swap actually gives slightly better performance, and in some cases what gives that little bit of extra performance actually decreases performance (With tiered storage).
from vault.
@armon, I think he meant it was bold to say disabling swap is common in production. It is.. but so is running swap in production (often as a bandaid).
Either way.. I think it is fair to say if you want to run as non-root user, you must disable mlock
, but I would like to know.. if swap is used, are we potentially leaking unencrypted secrets? Is vault's memory more or less cleartext or protected in some form?
Thanks for putting up with my questions :)
from vault.
I think this can be closed when the website is next deployed. By default, vault server doesn't listen on privileged ports, and the next deploy of the website documentation will offer 3 approaches to avoiding swap leak in production (none of which require running vault as root).
from vault.
I'm just going to close this now, as it's already committed in master!
from vault.
This is in the docs committed in #268 but since this thread shows up in the google results, I wanted to note it here as well. if you're on linux, you can use setcap to work around this. See the docs
from vault.
Related Issues (20)
- Error "event not processed by enough 'sink' nodes" in Vault 1.16.3 HOT 1
- Documentation on sdk/helper/keysutil
- Vault unseal process fails with azure as the storage backend HOT 1
- Informe de error HOT 2
- The vault agent sidecar does not reuse from persistent cache the token fetched by the initcontainer agent. HOT 1
- Change 500 error code when authenticating with an expired certificate
- UI shows deleted auth methods
- Unable to create/update AWS authentication role after 1.17.0 - unable to resolve ARN to internal ID: InvalidParameter: 1 validation error(s) found HOT 2
- make ember-dist fails HOT 1
- Allow setting unseal threshold at 1 when multiple shares are created
- Blank screen / partial load issue during Vault upgrades HOT 2
- Vault OIDC flow breaks fails to prompt users to login when their client tokens have expired
- MongoDB Database Plugin: Unable to update Rotation Period of existing static roles
- Go docs for MPL-2.0-licensed packages not displaying on https://pkg.go.dev
- creation_time for tokens not in RFC3339 format HOT 1
- Vault Agent Injector not injecting secrets into pods running on EKS cluster HOT 1
- Commandline parse failure when specifying long `ttl` for `token create`
- Add support for private keys for database authentication to use passphrases
- Wrong policy reported for sealing HOT 1
- The basic security before encryption and after encryption is key to your cyber security as user itself also share responsibility HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault.