Lessons
Start
Start learning
CodeGym /Courses /Module 5. Spring /Lecture 226: Protecting sensitive data: using Vault

Lecture 226: Protecting sensitive data: using Vault

Module 5. Spring
Level 23 , Lesson 5
Available

In this lecture we'll dive into protecting the "treasures" of our application: secrets, tokens, API keys and other sensitive data. Today we're talking about HashiCorp Vault!

Imagine: you accidentally pushed the database password to GitHub. Thirty minutes later your production went down — someone is mining cryptocurrency on your servers.

Now imagine you have:

  • 20 microservices
  • Each has its own passwords and keys
  • Three environments (dev, test, prod)
  • A team of 10 developers

How secrets are usually stored (and why that's bad)

Option 1: In code

String dbPassword = "super_secret_123"; // Please don't do this!

Sooner or later this will end up in Git. And then... see the story about cryptocurrency mining above.

Option 2: In configuration files

database:
password: another_secret_123 # Also not the best idea

Same problems as with code. Plus you need to somehow distribute these files to developers.

Option 3: In environment variables

export DB_PASSWORD=yet_another_secret

Better! But how do you manage a hundred variables across a dozen servers?

Java webinar

HashiCorp Vault to the rescue

Vault is like a safe for your secrets. But a smart one! Let's see what it can do:

  • Knows who opened the safe and when
  • Can automatically rotate keys and passwords
  • Works with different types of secrets
  • Integrates with Spring Boot (and beyond)

What Vault can do

1. Stores secrets centrally

  • No more .env files on every server
  • All secrets in one place
  • Access is strictly controlled

2. Generates temporary data


{
"db_credentials": {
"username": "app_1234",
"password": "temp_pass_5678",
"ttl": "1h"
}
}

In an hour these credentials will expire. Automatically!

3. Auditing

  • Who requested the database password?
  • When were the API keys last rotated?
  • Which service is using stale creds?

Integration with Spring Boot

Spring Boot + Vault = ♥️

It looks roughly like this: 


spring:
cloud:
vault:
host: vault.company.com
token: my-token
And now in code: 

@Value("${secret.db.password}")
private String dbPassword; // Magically fetched from Vault!

Main features of Vault

Vault offers a lot of features, here are some of them:

Feature Description
Dynamic generation Generation of temporary credentials for databases, APIs, and other services
Key management Storage and rotation of encryption keys
Secrets as a service Centralized store for sensitive data
Access policies Role-based access control
Audit Logs of secret access and operations

Vault supports various backend stores (both filesystems and cloud providers) for managing secrets.

Alternative solutions

Why Vault? Let's compare it with other popular solutions:

AWS Parameter Store

  • Works great in AWS
  • Free (almost)
  • But tied to Amazon

Apache ZooKeeper

  • Proven over time
  • Scales well
  • But complex to set up
  • And secrets aren't its primary job

Etcd

  • Kubernetes' favorite
  • Fast and reliable
  • But more suited for configurations than secrets

HashiCorp Vault

  • Built specifically for secrets
  • Works great anywhere
  • Handles dynamic secrets
  • Integrates with pretty much everything

Types of storage in Vault

Key-Value (KV)

  • Simple key-value store
  • Ideal for passwords and API keys
  • Supports versioning

Database

  • Dynamic DB credentials
  • Automatic password rotation
  • Supports PostgreSQL, MySQL, MongoDB and others

PKI

  • Generation of SSL/TLS certificates
  • Management of root and intermediate CAs
  • Automatic renewal

A bit more about integrating HashiCorp Vault with Spring

Spring Boot uses configurations set in application.properties or application.yml to connect to Vault. After connecting the app can load secrets as if they were regular properties.

Example usage:

  1. Secrets in Vault (for example, at path secret/data/myapp): 
    
{
    "data": {
        "username": "admin",
        "password": "s3cr3t"
    }
}
  2. Accessing secrets in Spring Boot: 
    
spring:
  cloud:
    vault:
      uri: http://localhost:8200
      token: my-root-token
      kv:
        enabled: true
        backend: secret
        default-context: myapp

    Secrets are now available in the application as properties username and password. For example, you can use them in @Value:

    
public class Credentials {

    @Value("${username}")
    private String username;

    @Value("${password}")
    private String password;

    // Getters, setters, or just a method for logic
}

What problems does Vault solve?

1. Security

  • Secrets aren't stored in code
  • Everyone gets only the data they need
  • All actions are logged

2. Automation

  • Automatic password rotation
  • Integration with CI/CD
  • API for everything

3. Scalability

  • Works with one service or thousands
  • Supports clustering
  • Integrates with clouds

What's next?

HashiCorp Vault is a powerful tool that lets you manage sensitive data as safely as possible. By setting it up in your application you won't just ensure reliable data protection, you'll also sleep better knowing that no API key will accidentally leak into your repo. In the next lecture we'll:

  • Install Vault
  • Set up integration with Spring Boot
  • Learn how to store and retrieve secrets
  • See it all in action
Comments
TO VIEW ALL COMMENTS OR TO MAKE A COMMENT,
GO TO FULL VERSION