Application Server Security
Encrypt Communication Using SSL/HTTPS
It is highly recommended that all communication between web browsers and your Vault server be encrypted and secured, using the SSL/HTTPS protocol. Installing a third-party domain, or self-signed SSL/HTTPS certificate on your website is also recommended for maximum security.
Restrict Access to Vault File System
Access to your Vault directory should be limited to a minimum number of users. The file system contains the Vault encryption key and database connection information, which is vital in disaster recovery situations.
Restrict Access to the Application Server
Users with login rights to the application server may be able to read plain text passwords and other sensitive information by accessing memory. Access to the application server should be limited to a minimum number of users.
Application Pool Identity
The Vault application pool account does not need full rights to the entire system, only the Vault files and services. As such, a more limited account can be used than "LocalSystem" or "NetworkService."
Encrypt Your Vault Encryption Key
Vault uses ASP.NET encryption to secure keys and other sensitive data. Your Vault encryption key and configuration files are encrypted upon installation and should be decrypted for troubleshooting purposes only.
You should create a backup of the plain text encryption key that was entered during installation of Vault. In a disaster recovery scenario, Vault may not be accessible without a backup of the key. It is not recommended that the backup be stored digitally. Instead, a physical copy should be created and stored in a secure location such as a safe.
Review Activity and Permissions Logs
Check Vault's activity and permissions reports for login and permission failures and other unusual events, and periodically review who has access to the system, who has access to credentials, and what those with access are permitted to do within the system.