Spring Security

Spring Vault 通过为 BytesKeyGeneratorBytesEncryptor 提供实现而与 Spring Security 集成。这两个实现都使用 Vault 的 transit 后端。

Spring Vault integrates with Spring Security by providing implementations for BytesKeyGenerator and BytesEncryptor. Both implementations use Vault’s transit backend.

Example 1. VaultBytesKeyGenerator example
VaultOperations operations = …;
VaultBytesKeyGenerator generator = new VaultBytesKeyGenerator(operations);

byte[] key = generator.generateKey();
Example 2. VaultBytesEncryptor example
VaultTransitOperations transit = …;

VaultBytesEncryptor encryptor = new VaultBytesEncryptor(transit, "my-key-name");

byte[] ciphertext = encryptor.encrypt(plaintext);

byte[] result = encryptor.decrypt(ciphertext);

Vault 封装了一个与你的 JVM 分离的熵源以及服务器端密钥管理。这减轻了应用程序开发人员正确加密/解密的负担,并将其推给了 Vault 的操作员。Vault 的操作员通常包括组织中的安全团队,这意味着他们可以确保正确加密/解密数据。此外,由于加密/解密操作必须进入审计日志,因此任何解密事件都会被记录下来。

Vault encapsulates an entropy source that is decoupled from your JVM along with server-side key-management. This relieves the burden of proper encryption/decryption from application developers and pushes the burden onto the operators of Vault. Operators of Vault commonly include the security team at an organization, which means they can ensure that data is encrypted/decrypted properly. Additionally, since encrypt/decrypt operations must enter the audit log, any decryption event is recorded.

后端还支持密钥轮换,它允许生成命名密钥的新版本。使用密钥加密的所有数据都将使用该密钥的最新版本;以前加密的数据可以使用密钥的旧版本进行解密。管理员可以控制密钥的哪些旧版本可用于解密,以防止攻击者获取密文的旧副本以成功解密它。

The backend also supports key rotation, which allows a new version of the named key to be generated. All data encrypted with the key will use the newest version of the key; previously encrypted data can be decrypted using old versions of the key. Administrators can control which previous versions of a key are available for decryption, to prevent an attacker gaining an old copy of ciphertext to be able to successfully decrypt it.

Vault 毕竟是一项网络服务,每次操作都会产生延迟。大量使用加密或随机字节生成组件可能会遇到吞吐量和性能差异。

Vault is after all a networked service that incurs each operation with a latency. Components heavily using encryption or random bytes generation may experience a difference in throughput and performance.