Skip to content
DeepintShield DeepintShield

Vault Support

DeepIntShield’s vault support enables seamless integration with enterprise-grade secret management systems, allowing you to connect to existing vaults and automatically sync virtual keys and provider API keys directly onto the DeepIntShield platform.

Overview

Section titled “Overview”

The vault integration provides:

  • Automated Key Synchronization: Connect to your existing vault infrastructure and sync all API keys automatically
  • Periodic Key Management: Regular synchronization ensures deprecated and archived keys are properly managed
  • Multi-Vault Support: Compatible with HashiCorp Vault, AWS Secrets Manager, Google Secret Manager, and Azure Key Vault
  • Zero-Downtime Operations: Keys are synced without interrupting your running services

Supported Vault Systems

Section titled “Supported Vault Systems”

HashiCorp Vault

Section titled “HashiCorp Vault”

Connect to your HashiCorp Vault instance for centralized secret management.

{
  "vault": {
    "type": "hashicorp",
    "address": "https://vault.company.com:8200",
    "token": "${VAULT_TOKEN}",
    "mount": "secret",
    "sync_interval": "300s"
  }
}

AWS Secrets Manager

Section titled “AWS Secrets Manager”

Integrate with AWS Secrets Manager for cloud-native secret storage.

{
  "vault": {
    "type": "aws_secrets_manager",
    "region": "us-east-1",
    "access_key_id": "${AWS_ACCESS_KEY_ID}",
    "secret_access_key": "${AWS_SECRET_ACCESS_KEY}",
    "sync_interval": "300s"
  }
}

Google Secret Manager

Section titled “Google Secret Manager”

Use Google Cloud’s Secret Manager for secure key storage.

{
  "vault": {
    "type": "google_secret_manager",
    "project_id": "your-project-id",
    "credentials_file": "/path/to/service-account.json",
    "sync_interval": "300s"
  }
}

Azure Key Vault

Section titled “Azure Key Vault”

Connect to Azure Key Vault for Microsoft cloud environments.

{
  "vault": {
    "type": "azure_key_vault",
    "vault_url": "https://your-keyvault.vault.azure.net/",
    "client_id": "${AZURE_CLIENT_ID}",
    "client_secret": "${AZURE_CLIENT_SECRET}",
    "tenant_id": "${AZURE_TENANT_ID}",
    "sync_interval": "300s"
  }
}

Key Synchronization

Section titled “Key Synchronization”

Automatic Sync Process

Section titled “Automatic Sync Process”

DeepIntShield automatically synchronizes keys from your vault at regular intervals:

  1. Discovery: Scans the configured vault paths for API keys and virtual keys
  2. Validation: Verifies key format and accessibility
  3. Sync: Updates DeepIntShield’s internal key store with new and modified keys
  4. Deprecation: Identifies and archives keys that have been removed from the vault
  5. Notification: Logs sync status and any issues encountered

Sync Configuration

Section titled “Sync Configuration”

Configure synchronization behavior to match your operational requirements:

{
  "vault": {
    "sync_interval": "300s",
    "sync_paths": [
      "deepintshield/provider-keys/*",
      "deepintshield/virtual-keys/*"
    ],
    "auto_deprecate": true,
    "backup_deprecated_keys": true
  }
}

Configuration Options

Section titled “Configuration Options”
OptionDescriptionDefault
sync_intervalTime between sync operations300s
sync_pathsVault paths to monitor for keys["deepintshield/*"]
auto_deprecateAutomatically deprecate removed keystrue
backup_deprecated_keysBackup keys before deprecationtrue

Key Management Lifecycle

Section titled “Key Management Lifecycle”

Key States

Section titled “Key States”

Keys in DeepIntShield can have the following states:

  • Active: Currently in use and available for requests
  • Deprecated: Marked for removal but still functional
  • Archived: Removed from active use but retained for audit purposes
  • Expired: Keys that have exceeded their validity period

Deprecation Process

Section titled “Deprecation Process”

When keys are removed from the vault:

  1. Detection: Next sync cycle identifies missing keys
  2. Grace Period: Keys enter deprecated state with configurable grace period
  3. Notification: Administrators are notified of pending deprecation
  4. Archive: Keys are moved to archived state after grace period expires
{
  "vault": {
    "deprecation": {
      "grace_period": "24h",
      "notify_admins": true,
      "retain_archived": "90d"
    }
  }
}

Security Considerations

Section titled “Security Considerations”

Authentication

Section titled “Authentication”
  • Vault Tokens: Use time-limited tokens with minimal required permissions
  • IAM Roles: Leverage cloud provider IAM roles for secure authentication
  • Certificate-based Auth: Support for mutual TLS authentication where available

Encryption

Section titled “Encryption”
  • Transit Encryption: All communication with vault systems uses TLS
  • At-Rest Encryption: Keys are encrypted in DeepIntShield’s internal storage
  • Key Rotation: Automatic detection and handling of rotated vault credentials

Audit Trail

Section titled “Audit Trail”

Complete audit logging for all vault operations:

{
  "timestamp": "2024-01-15T10:30:00Z",
  "operation": "key_sync",
  "vault_type": "hashicorp",
  "keys_synced": 15,
  "keys_deprecated": 2,
  "status": "success"
}