Before we dive into the fun part of getting keys shared amongst cloud providers, there are a variety of tools required to get this tutorial working.

Tools and Setup

First, you’ll need to download and install Vault, then get it up and running. You will also need to install

cURLandOpenSSL — these usually comes pre-installed with most Linux OSs, and are available via most package managers (apt,yum,brew,choco/scoop, etc.).

Our examples also use

headanddiffwhich are part of thecoreutilsanddiffutilspackages under Ubuntu; you can either find a similar package for your OS or find a manual workaround for those portions. Next, install theAWS command line tools(CLI) and make sure youconfigure the CLIto connect to your account. The last step is toinstallandconfigurethe Heroku CLI.

One last note — the Heroku feature to utilize keys from AWS requires a private or shield database plan, so please ensure your account has been configured accordingly.

Intro

In today’s hyperconnected world, the former approach of locking services behind Virtual Private Networks (VPNs) or within a demilitarized zone (DMZ) is no longer secure. Instead, we must operate on a zero-trust network model, where every actor must be assumed as malicious. This means that a focus on encryption — both at rest and in transit — along with identity and access management is critical to ensuring that systems can interact with each other.

One of the most important parts of the encryption process is the keys used to encrypt and decrypt information or used to validate identity. A recent approach to this need is called Bring Your Own Key (BYOK) — where you as the customer/end user own and manage your key, and provide it to third parties (notably cloud providers) for usage. However, before we dig into what BYOK is and how we can best leverage it, let’s have a quick recap on key management.

#aws #heroku #cryptographic-key-management #encryption #key-encryption #hashicorp-vault #security #data-security