Recommendations For Redaction of Vault Log Files and Information

Avatar
Laura Buckley
  • Updated

Introduction

When working with HashiCorp Vault support it is typically requested that Vault logs, configuration files and output from various commands be provided in order to facilitate the necessary troubleshooting and investigation. Some organisations may be restricted by various regulations in terms of what information may be shared outside of the organisation, thus the redaction of logs and outputs may be necessary.

It is important to remember that excessive redaction may render the information useless for troubleshooting and analysis purposes. Server names, IP addresses, Cluster IDs, etc. may not be distinguishable and present sufficient uniqueness in order to identify the individual serves, clusters, etc.

This article contains guidelines and suggestions on such redaction in order to streamline the process and ensure that the sufficient information is still presented to HashiCorp Vault technical support engineers in a usable and understandable manner without disclosing internal, sensitive information.

 

Examples of Sensitive Information (this list is not exhaustive)

Vault Operational logs

  • server names
  • IP addresses
  • On Vault startup - Environment variables are logged in the Vault Operational log, e.g. Proxy addresses

Vault .hcl/.yml Configuration File

  • Raft Stanza - Server Names, IP Addresses
  • Auto Unseal Stanza - HSM Pin, KMS Key Details, etc.

Vault SystemD Unit File

  • Environment variables e.g. Proxy addresses, HSM Pin, etc.

Vault .env file (if used)

  • Environment variables e.g. Proxy addresses, HSM Pin, etc.

Output from vault status

  • Server names
  • IP Addresses
  • Cluster ID

Output from commands such as vault operator raft list-peers and vault operator members

  • Server names
  • IP Addresses

DR/PR Replication Status

  • Server names
  • IP Addresses

Vault Token Values 

Unseal Keys 

Recovery Keys

 

Preparation

Internal to your organisation, create a document for internal reference and consistent redaction.

Example document content and redaction mapping:

 

Vault DR/PR Primary Cluster:

Cluster ID: 38835a36-91a4-bc29-53b7-4931bcae2e0a = 38835a36-91a4-xxxx-xxxx-4931bcae2e0a
HSM Pin: 5246-8k04-m5gh- = 5246-xxxx-m5gh
vault-0.svc.mysecretorgname.org [192.168.10.20] = green-0.org.org [xxx.xxx.x10.001]
vault-1.svc.mysecretorgname.org [192.168.10.25] = green-1.org.org [xxx.xxx.x10.002]
vault-2.svc.mysecretorgname.org [192.168.10.30] = green-2.org.org [xxx.xxx.x10.002]

Vault DR Secondary Cluster

Cluster ID: 32542a36-91a4-bc29-53b7-4931befg4p0d = 32542a36-91a4-xxxx-xxxx-4931befg4p0d
HSM Pin: 78dm2-3kd1-qpla = 78dm2-xxxx-qpla
vault-0-dr.svc.mysecretorgname.org [192.168.20.20] = blue-0.org.org [xxx.xxx.x20.001]
vault-1-dr.svc.mysecretorgname.org [192.168.20.25] = blue-1.org.org [xxx.xxx.x20.002]
vault-2-dr.svc.mysecretorgname.org [192.168.20.30] = blue-2.org.org [xxx.xxx.x20.003]

Vault PR Secondary Cluster

Cluster ID: 32539fk2-91a4-bc29-53b7-4931be0l58sd = 32539fk2-91a4-xxxx-xxxx-4931be0l58sd
HSM Pin: l29vd-098l-akdi = l29vd-xxxx-akdi
vault-0-pr.svc.mysecretorgname.org [192.168.30.20] = yellow-0.org.org [xxx.xxx.x30.001]
vault-1-pr.svc.mysecretorgname.org [192.168.30.25] = yellow-1.org.org [xxx.xxx.x30.002]
vault-2-pr.svc.mysecretorgname.org [192.168.30.30] = yellow-2.org.org [xxx.xxx.x30.003]

 

 

Methodology for Consistent Redaction

For Vault Operational logs, open the log files in a text editor such as Visual Studio Code or Notepad++. Use the search & replace function to consistently redact internal information such as server names, IP addresses, Cluster ID, etc. and replace with the correctly mapped redacted data equivalent, as documented [see above suggested document].

For Vault command outputs, copy and paste the resultant output from the requested Vault commands into the text editor of choice and use the same search & replace methodology outlined in the above paragraph.

It is vitally important that the redaction mapping remains absolutely constant throughout the lifecycle of the ticket.

Once all sensitive information has been redacted in a consistent and accurate manner you may provide the information in the support ticket.

Other Considerations

Keep these redaction recommendations in mind if ever you submit a screen shot. 

Edit the screenshots in a graphic editor of your choice and ensure to blur elements of the sensitive, internal information.  However, leave sufficient elements visible, based on redaction mapping examples above, in order to enable accurate diagnostics to be undertaken.

Outcome

The technical support engineer will be enabled to effectively analyse the data and undertake the necessary troubleshoot because of the consistent application of redaction standards without being able to identify confidential, identifying information internal to your organisation.

Additional Resources

Vault KB Article: Where are My Vault Logs and How do I Share Them with HashiCorp Support?

External Application: Visual Studio Code

External Application: Notepad++

 

Articles in this section

See more

Related articles