New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Privilege separation for vault as a system service #122
Comments
This is a painful one in Go in general. See: golang/go#1435 |
That is rough. @armon, can you help me understand the implications of disabling mlock? |
Using However, if you disable swapping entirely (pretty standard practice for production servers), then the OS should never swap to disk anyways. |
Thank you for the explanation! |
Swapping to disk would be counter-productive to what Vault tries to accomplish? If Vault swaps, you risk writting data to persistent local storage that is not yet encrypted, or did I miss something? Saying that disabling swap on production server is "pretty standard" is kinda bold, don't you think? |
@MadsRC I agree, swapping is counter-productive, which is why we attempt to |
@armon, I think he meant it was bold to say disabling swap is common in production. It is.. but so is running swap in production (often as a bandaid). Either way.. I think it is fair to say if you want to run as non-root user, you must disable Thanks for putting up with my questions :) |
@ketzacoatl You could potentially be leaking secrets yes. There is very little data that is cleartext in memory, but anything that is currently in the request path being processed as well as the master encryption keys are necessarily in clear text. The majority of data is LRU caches of the physical backend, and all that data is still encrypted in memory. There is also the GC to consider, as previously decrypted data may be unused but still paged in. |
I think this can be closed when the website is next deployed. By default, vault server doesn't listen on privileged ports, and the next deploy of the website documentation will offer 3 approaches to avoiding swap leak in production (none of which require running vault as root). |
I'm just going to close this now, as it's already committed in master! |
This is in the docs committed in #268 but since this thread shows up in the google results, I wanted to note it here as well. if you're on linux, you can use setcap to work around this. See the docs |
Seeing the error message in 637549b, I wonder: if Vault requires
root
privs, is it feasible to implement privilege separation in Vault such that root privs are dropped when they are not needed?The text was updated successfully, but these errors were encountered: