dsec Vault Migration: Decisions & Security

Gopass Integration

Note: You currently use gopass (v2/DOMUS/…​) for some secrets. Consider:

  1. Keep gopass for interactive use - GUI-friendly, git-backed

  2. Use Vault for automation - dsec, scripts, CI/CD

  3. Sync gopass <→ Vault - Script to keep both in sync

Or migrate gopass to Vault entirely using the same path structure.

Security Considerations

Vault Unseal Keys

  • Store unseal keys in gopass or separate secure location

  • Never store unseal keys in Vault itself

  • Consider auto-unseal with HSM or cloud KMS

Token Management

  • Use short-lived tokens where possible

  • Implement token renewal in dsec CLI

  • Audit token usage regularly

Network Security

  • Vault should only listen on localhost or private network

  • Use TLS for production (currently HTTP on localhost)

  • Firewall rules to restrict access

Backup Strategy

# Vault snapshot (includes all data)
vault operator raft snapshot save /backup/vault-$(date +%Y%m%d).snap

# Automate with systemd timer
# See: vault-backup.service (currently failing - needs fix)