CoursesAdvanced secrets managementOperations, detection & response

Audit, tamper-evidence, break-glass & DR

Audit devices, HMAC log integrity, recovery keys, and the DR drill.

Expert35 min · lesson 15 of 15

The last mile of a secrets platform is proving what happened and surviving disaster. Auditors ask "who could read this, who did, and can you prove the record was not altered?" Incident responders ask "can we get back to a known-good state if the whole cluster is lost?" Both come down to trustworthy audit logs, a tested break-glass path, and a rehearsed disaster-recovery drill. A secrets manager you cannot audit or recover is a liability wearing the costume of a control.

Audit devices and tamper-evidence

Vault’s audit devices log every request and response, and they do it in a way built for trust: sensitive values are HMAC-ed (hashed with a per-Vault key) so the log records that a secret was accessed and by whom without printing the secret itself — the log is safe to ship to a SIEM. Audit logging is also fail-closed by design: if Vault cannot write to at least one audit device, it stops serving requests rather than operate blind. That is the correct default for a system of record, even though it means you must run redundant audit sinks so a single log outage does not take Vault down.

terminal — audit to file + syslog, HMAC-ed
$ vault audit enable file file_path=/var/log/vault/audit.log
$ vault audit enable syslog tag="vault" facility="AUTH"
# a log line records the access without the secret (HMAC of the value):
{ "type":"response","auth":{"display_name":"oidc-alice","policies":["payments-read"]},
"request":{"operation":"read","path":"database/creds/payments-ro"},
"response":{"data":{"password":"hmac-sha256:5f2e..."}} }
# ship both sinks to a SIEM; two devices so one outage doesn’t fail-close Vault.

Guarantee integrity: the log must resist your own admins

An audit log an insider can quietly edit proves nothing. Make the record tamper-evident: forward audit events off-box in real time to append-only, access-controlled storage (a SIEM, an immutable bucket with object lock) so the copy of record is not on a host any Vault admin can reach; and monitor for the tells of tampering — gaps in the sequence, an audit device being disabled, log files truncated. The threat model here explicitly includes privileged insiders, so the integrity control has to live outside the trust boundary of the people it is auditing.

Break-glass and the disaster-recovery drill

Two emergencies need a rehearsed answer. Break-glass is "we need root right now": generate a temporary root token from a quorum of recovery-key holders (vault operator generate-root), use it under four-eyes observation, and revoke it the moment the emergency passes — root is a fire axe behind glass, not a tool on the desk. Disaster recovery is "the primary is gone": promote the DR-replica cluster, repoint clients, and verify secrets flow. Neither works if its first real execution is during the actual incident, so both must be drilled on a schedule until they are muscle memory.

The DR promotion drill (rehearse it)
1primary lost
region/cluster failure declared
2promote DR secondary
warm standby becomes primary
3repoint clients
DNS / config to new primary
4verify + audit
secrets flow; record the drill
The first promotion should be a Tuesday-afternoon drill, never a 3 a.m. surprise.
Recovery keys and backups are the actual crown jewels — protect and test both
Auto-unseal removes the unseal keys but recovery keys still exist, and whoever holds a quorum of them can generate root or unseal a restored backup — so they get split custody, tamper-evident storage, and a documented ceremony, exactly like Shamir shares. Take regular Raft snapshots, encrypt them, store them where they can never share a blast radius with the seal/recovery keys, and actually restore one into a scratch cluster on a schedule. An untested backup is a hope; a backup restored next to its unseal keys is a single point of total compromise.