Database Security

Restrict Access to Vault Database

Access to your Vault database should be limited to a minimum number of users. We also recommend disabling the "SA" account in the SQL instance containing Vault, as well as disabling mixed mode for the Vault database.

Use Windows Authentication to Access Vault Database

Windows Authentication uses Kerberos security protocol and offers robust password policies. It is far more secure than standard SQL Server Authentication and is highly recommended for accessing your Vault database.

Restrict Access to Other Important Databases

The Vault database account should have access to the Vault database only, and no others. The most secure option is to have the Vault database be on its own server, with its own dedicated SQL instance. If this option is impractical in your environment, close attention should be given to the permissions on a shared SQL server to help mitigate risk. Access to other system databases, such as SQL master, should also be limited.

Separate Vault Database from Other, Less Secure Databases

The SQL instance containing Vault should not be shared with other databases with lower security requirements. Sharing a SQL server with less secure applications, to which many parties have access, risks exposure to vulnerabilities such as SQL injection.

Restrict Access to Backups

Access to database backups should be limited to a minimum number of users. We recommend protecting your backups with an approach similar to that of your production data.