Seed and certificate storage

warning

Using Ledger Authentication Module to authenticate via API will be supported until Q3 2024, if you are starting a new setup, we recommend using the new API User methods

Overview

  • To securely store the users' seeds used by LAM, we suggest you integrate HashiCorp Vault to benefit from authentication back-ends and encrypted-at-rest seeds.
  • Hashicorp Vault is an open-source secret management tool specifically designed to control access to sensitive credentials, such as the seeds and certificates stored on LAM.
  • By default, seeds are stored in a file readable by LAM. This means that the security of the authentication to the LAM depends on the network access policy and administration rights of the machine running LAM. Using HashiCorp Vault allows you to encrypt your seeds at rest, segregate their access, and enforce a layer of authentication to access them.
Default file system HashiCorp Vault
Authentication method Certificate and user seeds stored in clear on LAM Certificate and user seeds encrypted on LAM
Login policy No login policy implemented at the machine access level by default Comprehensive login policies
Storage Single Authorization Key for all LAM Operators Different access token per LAM Operator
  • HashiCorp Vault also provides a framework to integrate with third-party authentication providers (such as OIDC) and allows defining complex access policies.
  • For more information or additional support, refer to the Hashicorp Vault documentation.

Glossary

Term Definition
OIDC Simple identity layer on top of the OAuth 2.0 protocol
userpass Username and password

Data flow

The following diagrams show how information flows between LAM and HashiCorp Vault.

hashicorp vault

not hashicorp

Before you begin

You must have:

  • Onboarded your Ledger Vault workspace.
  • Acquired sufficient knowledge on the functioning of HashiCorp Vault using their documentation .
  • Configured HashiCorp Vault properly and run it on the client’s infrastructure.
  • Read this article and ensured you adjust the scripts to fit production needs.

Instructions

Set up HashiCorp to authenticate with:

warning

Since a X-Ledger-API-User is mandatory, the first API User cannot be created via the HashiCorp Vault - only subsequent API users.

Copyright Β© Ledger Enterprise Platform 2023. All right reserved.