Overview

The JFrog Platform integration with HashiCorp Vault enables you to configure an external vault connection to use as a centralized secret management tool for the keys used to sign packages. The JFrog Platform integration with vault supports multiple signing key types such as GPG or RSA used to sign packages or release bundles. This allows you to store JFrog Platform signing keys that are used for packages authentication in several formats such as Debian, Opkg and YUM or signing JFrog Distribution Release Bundles. Vault integration provides you with capabilities such as:

  • Generate and manage the keys used to sign packages in a centralized tool if you have established security and compliance policies in your organization.
  • Rotate keys regularly, such as on a monthly or quarterly basis.
  • Maintain multiple secrets through a vault.

Supported Vaults

At the moment, JFrog supports HashiCorp Vault integration using the key/value engine (versions 1 and 2).

The HashiCorp Vault integration does not support HCP Vault.

How Does it Work?

As an administrator, you need to:

  • First set up HashiCorp Vault and create the relevant secrets, in this case, the signing keys, and store them in the vault. 
  • Configure the connection to vault from the JFrog Platform using the REST API. 
  • Provide the path and ID of the secrets for the relevant keys using the REST APIs to reference the signing keys from vault to the JFrog Platform.

JFrog Subscription Levels

CLOUD (SaaS)
ENTERPRISE with SECURITY PACK ENTERPRISE+
SELF-HOSTED
ENTERPRISE X
ENTERPRISE+

Connecting HashiCorp Vault to the JFrog Platform

Connect the HashiCorp Vault you set up to the JFrog Platform by running the Vault Configuration REST API. The connection to the vault requires the following information:

  • URL: The base URL of the vault server.
  • Authentication: The authentication method used. For more information, see Hashicorp Vault Docs.
    • AppRole: Using a role ID and a secret ID.
    • TLS Certificate: Using a certificate and a private key.

    • Agent Auto-Auth: Using the vault agent running as a daemon.

      The Agent Auto-Auth method is only supported on Self-Hosted environments. 

  • Secret Engine (Mount): A mountable engine that stores or generates secrets in vault. Provide the following details:
    • Path: Secret engines are enabled at a "path" in vault. 
    • TypeVault supports several secret engines, each-one has different capabilities. The supported secret engine types are KV-v1 and KV-v2.

Retrieving Signing Keys from HashiCorp Vault

To be able to retrieve the signing keys from HashiCorp Vault,use the following REST API commands to define the HashiCorp Vault key aliases. Using the REST API, the signing keys can be either set inline, set as reference to Vault, or they can be deleted. 

Artifactory GPG and RSA Signing Keys

Use the Create Key Pair REST API to point the JFrog Platform to the GPG and RSA signing keys stored in the vault.

Trusted Keys

Use the Upload and Propagate GPG Signing Keys for Distribution REST API to to point the JFrog Platform to the GPG and RSA signing keys stored in the vault.

REST API Support

Vault integration can be done with the following REST API endpoints :