In modern applications, the confidentiality of sensitive data is critical, such as API keys, database passwords, and more. To ensure security, this sensitive data must be stored in secure storage and accessible only to authorized users. Vault is an open source tool developed by HashiCorp. It has functions such as secure storage and dynamic access control, and is the best choice for storing sensitive information.
This article will discuss how to use Vault confidential storage in Go, access the Vault API, and leverage Vault to provide security and convenience to manage your application's sensitive information.
First you need to install Vault and start the Vault server. You can go to the Vault official website to download the binary file suitable for your operating system. Before installation, confirm that backend storage such as Consul or etcd has been installed. Next, start the Vault application using the following command:
$ vault server -dev
This will start the Vault server and enable development/test mode. In development/test mode, the Vault server is stored in memory and unencrypted and is used for development testing purposes only. In a production environment, you need to start the Vault server and backend storage with a secure configuration.
Once the Vault server is started, we need to create a Vault configuration for storing sensitive information. First, a new secret engine needs to be created.
$ vault secrets enable -path=secret kv
This will create a secret engine named "secret" on the Vault server and set its type to "kv". You can use vault secrets list
to view all secret engines on the Vault server.
Next, sensitive data needs to be stored in the Vault key storage space. In this example, we will store the signing key for JWT (JSON Web Token). Data can be stored into the Vault key storage space using the vault kv put
command as follows:
$ vault kv put secret/jwt secretkey=shhhnotsosecret
The above command will store a key/value pair named "jwt" and Store the "shhhnotsosecret" value in the section using the "secretkey" key.
Now that Vault has been configured, we need to use the Vault API in Go to read sensitive information.
First you need to install the Vault client API. The Vault client API can be installed using the following command.
$ go get github.com/hashicorp/vault/api
Next, you need to create a new Vault client. A Vault client can be created using the following command:
import ( "github.com/hashicorp/vault/api" ) config := api.DefaultConfig() config.Address = "http://127.0.0.1:8200" client, err := api.NewClient(config) if err != nil { // handle error }
The above code will create a new Vault client and configure it to communicate with the Vault server running on localhost.
Next, the key needs to be read from the Vault storage area. The key can be obtained from the Vault store using the following code:
secret, err := client.Logical().Read("secret/data/jwt") if err != nil { // handle error }
The above code will read the data from the key/value pair of the Vault JWT key. If the read is successful, a map[string]interface{} object containing the data is returned.
Finally, we can get the key from Vault's key store using the following code:
key := secret.Data["data"].(map[string]interface{})["secretkey"].(string)
The above code will get the signing password from the Vault JWT key.
Vault is an open source tool that has functions such as secure storage and dynamic access control. It is the best choice for storing sensitive information. Using Vault confidential storage in Go is very easy. You only need to install the Vault server, configure the Vault server and create a Vault client to manage sensitive data in Vault. In this way, you ensure that sensitive data is protected and only authorized users can access it.
The above is the detailed content of How to use Vault confidential storage in Go?. For more information, please follow other related articles on the PHP Chinese website!