Vault Security

[lbauer]

Vault authenticates connections from clients using user information stored on the server (a valid username and matching password are used). Optionally, the Vault server can be configured to use Active Directory for authentication. A user must authenticate before performing any SOAP operations which would reveal repository information (folder structure, file contents, etc.).

Vault clients communicate with the Vault server using SOAP, which is a remote procedure call technology using XML over HTTP. If you configure IIS to use unencrypted HTTP, all of the XML that Vault sends to the server will be unencrypted. Vault does not send passwords in the clear; passwords are hashed for greater security.

The file contents sent between the Vault client and server are in a compressed delta format, which describes only the changes between the client and server's existing files (for efficiency). This information isn't very easy to decode, but it will not be encrypted if IIS is not configured for SSL. You will need to configure IIS to support SSL, and preferably only accept connections on the HTTPS port, if you want your communications between the Vault client and server encrypted.

A note about SSL certificates: you don't have to buy one from a certificate vendor. Instead, you can install certificate authority software on one of your computers and sign the requests that IIS generates yourself. Microsoft provides free certificate tools for many versions of Windows to do this (usually only server versions of Windows are supported). This article describes PKI setup in Windows Server 2003.