Pete FreitagUsing Hashicorp Vault with ColdFusion
By Pete Freitag
Hashicorp Vault is an open source, enterprise grade security vault. It is designed to grant secure access to the secrets that it stores. It can also act as an encryption as a service API. Vault is very powerful, and there are lots of resources and videos describing how it works.
Using Vault is something that I often cover in my ColdFusion security training course, however I'd like to give an example of how you can use vault in your ColdFusion or CFML / Lucee applications.
Start a vault server
For this example to keep things simple we will just run vault locally in dev mode. After you have downloaded the vault binary, start a dev mode server like this:
vault server -dev
Use the vault CLI to store a secret
Now that we have a vault dev server running, we can store a secret in it. First we have to set an environment variable to tell the vault CLI where the server is located, in our case vault started the server on port 8200:
export VAULT_ADDR='http://127.0.0.1:8200'
The export command will only work on linux or mac, if you are running vault on Windows you'll need to set an environment variable and restart your Command Prompt.
Now that vault knows where the server is, we can use the vault key value store to store (or PUT) a secret:
vault kv put secret/hello first=pete last=freitag
Our secret is now securely stored in vault. To test that we really stored it, we can retrieve it from the command line like this:
vault kv get secret/hello
You'll see some metadata as well as your secret values output.
Creating a vault token
Now since we are in dev mode, vault is just spewing secrets to anyone that can connect to it. In a production configuration vault will require a VAULT_TOKEN to connect to it. So let's create the token and we'll use that when we write out code.
vault token create
Copy the token that is output and store it as an environment variable named VAULT_TOKEN.
Connecting to Vault from ColdFusion
Now that we have a vault server, and a vault token - let's see if we can connect to vault from our ColdFusion server. Here, we're going to hit the /v1/sys/init endpoint to see if the server is initialized:
<cfhttp url="#server.system.environment.VAULT_ADDR#/v1/sys/init" method="GET" result="vaultResponse">
<cfhttpparam type="header" name="X-Vault-Token" value="#server.system.environment.VAULT_TOKEN#">
</cfhttp>
If the vault server is initialized we should get a JSON response like this:
{"initialized":true}
If it is initialized, we can retrieve the secret we restored via the endpoint /v1/secret/data/hello
<cfhttp url="#server.system.environment.VAULT_ADDR#/v1/secret/data/hello" method="GET" result="vaultResponse">
<cfhttpparam type="header" name="X-Vault-Token" value="#server.system.environment.VAULT_TOKEN#">
</cfhttp>
Our response will be something like this:
{
"request_id":"3b63b127-9cfe-c427-face-1a4d300d0fc4",
"lease_id":"",
"renewable":false,
"lease_duration":0,
"data":{
"data":{
"first":"pete","last":"freitag"
},
"metadata":{
"created_time":"2021-01-29T14:53:36.574849Z",
"deletion_time":"",
"destroyed":false,
"version":1
}
},
"wrap_info":null,
"warnings":null,
"auth":null
}
We can retrieve our secret in CFML by calling deserializeJSON, eg:
<cfset secrets = deserializeJSON(vaultResponse.fileContent)> <cfoutput> First Name: #secrets.data.first# Last Name: #secrets.data.last# </cfoutput>
All if this is just scratching the surface of what Hashicorp Vault can do, but hopefully it helps you jumpstart your implementation.
Using Hashicorp Vault with ColdFusion was first published on January 29, 2021.
If you like reading about vault, secrets, hashicorp, coldfusion, or cfml then you might also like:
- Left and Right Accept Negative Counts
- URL Safe Base64 Encoding / Decoding in CFML
- CFML Left and Right Functions can Accept Negative Counts
- Dumping HTTP Servlet Request Attributes and Parameters in CF
The FuseGuard Web Application Firewall for ColdFusion & CFML is a high performance, customizable engine that blocks various attacks against your ColdFusion applications.