我应该在哪里存储 Vault 的 Unseal Key 和 Root Token?
Where should I store Vault's Unseal Key and Root Token?
我应该在哪里存储 HashiCorp Vault 的解封密钥和根令牌?
Vault 将由团队中的不同成员使用。
在最佳实践用法中,您不会存储根令牌 - 一旦完成,it should be revoked。
Root tokens are useful in development but should be extremely
carefully guarded in production.
In fact, the Vault team recommends
that root tokens are only used for just enough initial setup (usually,
setting up auth methods and policies necessary to allow administrators
to acquire more limited tokens) or in emergencies, and are revoked
immediately after they are no longer needed.
If a new root token is
needed, the operator generate-root command and associated API endpoint
can be used to generate one on-the-fly.
开封密钥应分发给受信任的人,没有人可以访问其中一个以上。
这需要不止一个人重新启动 Vault 或获得对它的 root 访问权限。
文档没有建议任何我能找到的个人解封密钥的好隐藏位置 - 我建议您通常存储密码的地方,即密码管理器。
我应该在哪里存储 HashiCorp Vault 的解封密钥和根令牌?
Vault 将由团队中的不同成员使用。
在最佳实践用法中,您不会存储根令牌 - 一旦完成,it should be revoked。
Root tokens are useful in development but should be extremely carefully guarded in production. In fact, the Vault team recommends that root tokens are only used for just enough initial setup (usually, setting up auth methods and policies necessary to allow administrators to acquire more limited tokens) or in emergencies, and are revoked immediately after they are no longer needed.
If a new root token is needed, the operator generate-root command and associated API endpoint can be used to generate one on-the-fly.
开封密钥应分发给受信任的人,没有人可以访问其中一个以上。
这需要不止一个人重新启动 Vault 或获得对它的 root 访问权限。
文档没有建议任何我能找到的个人解封密钥的好隐藏位置 - 我建议您通常存储密码的地方,即密码管理器。