Could you pls let me know is there any video you have made about “vault + GnuPG”

@@nibanazar1882 Hi Niba, I don't, but it should be straight forward to use GnuPG to initialize Vault. Take a look at this guide: www.vaultproject.io/docs/concepts/pgp-gpg-keybase#initializing-with-gnupg

Glad it was helpful!

You're welcome!

Thank you for the feedback, will do.

Thank you!

You can configure the time to live for the password. It really depends on the application but it's always good to have it short-lived maybe a week or so. However, the application needs to have the intelligence to reach out to vault and generate new credentials whenever it fails to connect to a database, for example

Thank you! Glad it helped.

It's possible via an external script but not a good practice. The root token needs to be revoked once an auth method with admin privileges is created.

@@TeKanAid thanks for the reply! I actually meant, how would it be rotating any token, I mean, for instance, token for accessing DB from APP? Because these tokens are also stealable, aren't they?

@@khazarhajiyev7710 that's the beauty of dynamic secrets. They have a time-to-live. Once it expires the token is useless. If the app once to access the DB again, it has to create a new dynamic secret with a new TTL

Thank you! I do go over encryption for mongodb in this video kzbin.info/www/bejne/pHfSnKqtlryhftk check it out. I don't have a video for Redis and Vault, I'll consider making one.

@@TeKanAid Can we also rotate the vault token periodically? If yes then how?

yes you can do that by calling the REST API or by using the Vault agent. The Vault agent takes care of auto-auth in your behalf so you don't need to embed that function into your app's code. Take a look at the documentation: www.vaultproject.io/docs/agent/autoauth. I also have a couple of videos on the vault agent: kzbin.info/www/bejne/roC2e4KJib-Ujqc

Thank you

In HashiCorp Vault, ensuring that only authorized applications can request new credentials revolves around authentication and access policies. Here’s a simple breakdown: Authentication: First off, each application or user that needs to access Vault must authenticate themselves. Vault supports various authentication methods like tokens, username/password, cloud identities, and more. When an app or a user authenticates, Vault issues a token. Think of this token like a session ID. It's proof that the app has logged in successfully. Access Policies: After authentication, access policies come into play. These are rules written in HashiCorp Configuration Language (HCL) that determine what an authenticated user or application can do. Policies are attached to the tokens. So, when an app gets its token after authentication, this token is linked with certain policies that dictate what the app can and cannot do in Vault. Dynamic Secrets: When an application requests dynamic secrets, Vault checks the token it presents. It looks at the policies attached to this token to see if the app has the necessary permissions to request these secrets. If the policies allow it, Vault then generates the dynamic secret (like a database credential). If not, the request is denied. Lease and Revocation: Dynamic secrets come with a lease. This means they're only valid for a certain period. Vault automatically invalidates these credentials after the lease expires. Additionally, Vault admins can manually revoke these credentials anytime if needed, adding an extra layer of control. Example Scenario: Let's say you have an app that needs to access a database. You'd set up Vault to: Authenticate your app (maybe using a specific role tied to your app's identity). Attach a policy to the app's token that permits it to access only specific paths in Vault where dynamic DB credentials are generated. When the app requests credentials, Vault checks the token, sees it has the right policies, and issues the credentials with a time-bound lease. hope this helps

Thanks, Senthil

You're welcome!

Hi, I have a couple of courses that go into the details of running Vault in production. You can find them at courses.tekanaid.com

The available database secrets engines are found here www.vaultproject.io/docs/secrets/databases for your use case, if you want to do dynamic secrets you could write a custom plugin as per www.vaultproject.io/docs/secrets/databases/custom you could also use the K/V secrets engine and write a script to automatically rotate these secrets. Here is the API doc for it www.vaultproject.io/api/secret/kv/kv-v2.html