Comprehensive Guide to Using HashiCorp Vault in a Spring Boot Environment


Comprehensive Guide to Using HashiCorp Vault in a Spring Boot Environment



In modern applications, managing sensitive data securely is crucial. HashiCorp Vault offers a robust solution for handling secrets, ensuring that sensitive data like API keys, database credentials, and tokens are stored and accessed securely. This article explores how to integrate Vault with a Spring Boot application in production using a SQL database backend. We'll cover both theory and practice, with examples of Java code and Vault configurations. 

Table of Contents


What is HashiCorp Vault?

HashiCorp Vault is an open-source tool designed to manage secrets and protect sensitive data. It provides centralized secret storage, access control, and audit logging. Vault integrates seamlessly with various cloud platforms, allowing it to secure sensitive data in both cloud-native and on-premise environments.

Vault's Role in Production with Spring Boot

In production, Vault ensures that secrets such as database credentials are managed dynamically, removing the need for hardcoded sensitive information in the application.

Benefits of HashiCorp Vault for Secret Management

  • Centralized Secret Storage: Prevents hardcoded secrets in code, reducing the attack surface.
  • Dynamic Credentials: Generates time-limited credentials, minimizing security risks.
  • Auditing and Compliance: Built-in audit logs help track access and meet regulatory requirements.

System Architecture Overview

Components of the Architecture

A typical Vault production setup with Spring Boot involves:

  • Spring Boot Application: The main Java-based microservices framework.
  • Vault Agent: Intermediary on the production server where Spring Boot runs, fetching secrets from the Vault Server.
  • Vault Server: Manages and stores secrets securely.
  • SQL Database: Backend that holds application data, requiring secure access through dynamic credentials.

Secrets Flow Diagram

The following steps illustrate how secrets are retrieved and used:

  1. Spring Boot requests credentials from the Vault Agent.
  2. The Vault Agent authenticates to the Vault Server and retrieves the required secrets.
  3. The credentials are securely injected into the application, which then connects to the SQL database.

Authentication and Security Risks

Credential Storage Risks

Storing usernames and passwords in plain text or configuration files can expose them to attackers, posing a significant security risk.

Mitigation Strategies

  • Avoid Static Credentials: Use dynamic credentials instead of hardcoded usernames and passwords.
  • AppRole Authentication: Vault’s AppRole method allows non-interactive authentication with dynamic tokens, improving security.
  • Secret Wrapping: Vault can wrap secrets in a time-limited token to securely pass credentials between systems.

Vault Agent and Secure Integration

Configuring Vault Agent for a Production Environment

In a production environment, the Vault Agent is deployed on the same server as the Spring Boot application, while the Vault Server resides on a separate machine. All communications between the Vault Agent, Vault Server, and the SQL Database are secured using TLS encryption.

Environments Setup Overview:

  • Vault Server (IP: 192.168.101.1): Manages secrets and provides them securely to authorized applications.
  • Vault Agent (IP: 192.168.101.2): Intermediary on the production server where Spring Boot runs, fetching secrets from the Vault Server.
  • SQL Database (IP: 192.168.101.3): Stores application data, accessed via credentials managed by Vault.
  • TLS Encryption: Secures communication between Vault components to ensure data privacy and integrity.

Environments Setup Overview
Environment overview


Vault Agent Configuration Example:

Here’s how you would configure the Vault Agent on the production server (192.168.101.2) to securely retrieve secrets from the Vault Server (192.168.101.1) over TLS.


auto_auth { method "approle" { mount_path = "auth/approle" config = { role_id_file_path = "/etc/vault/role_id" secret_id_file_path = "/etc/vault/secret_id" } } } cache { use_auto_auth_token = true } listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/etc/vault-agent/certs/vault-agent.crt" tls_key_file = "/etc/vault-agent/certs/vault-agent.key" tls_client_ca_file = "/etc/vault-agent/certs/ca.crt" } vault { address = "https://192.168.101.1:8200" }

Spring Boot Integration in Production

The Spring Boot application running on 192.168.101.2 communicates with the Vault Agent to retrieve dynamic credentials securely.

Example: Application Properties for Vault Integration:


spring: cloud: vault: uri: https://127.0.0.1:8200 # Vault Agent local communication authentication: APPROLE token: ${VAULT_TOKEN}

Vault Configuration for Storing Secrets and HTTPS Setup





Storing Secrets for Spring Boot

To store secrets such as database credentials in Vault and retrieve them securely in a Spring Boot application, follow these steps:

Step 1: Enable KV Secrets Engine

vault secrets enable kv
 

Step 2: Store Secrets

vault kv put secret/myapp/db username="myuser" password="mypassword"

Step 3: Configuring Spring Boot to Retrieve Secrets

spring: cloud: vault: kv: enabled: true uri: https://192.168.101.1:8200 authentication: APPROLE token: ${VAULT_TOKEN} kv: backend: secret

Enabling HTTPS on Vault

To enable HTTPS and secure communication between Vault, Vault Agent, and Spring Boot, you need to configure Vault with SSL certificates.

Step 1: Generate SSL Certificates

openssl req -x509 -newkey rsa:4096 -keyout vault.key -out vault.crt -days 365 -nodes
 

Step 2: Configure Vault for HTTPS


listener "tcp" { address = "0.0.0.0:8200" tls_cert_file = "/etc/vault/vault.crt" tls_key_file = "/etc/vault/vault.key" } storage "file" { path = "/vault/data" }

Step 3: Start Vault with HTTPS


vault server -config=/etc/vault/config.hcl
 

Vault Configuration for the Transit Engine (Encryption and Decryption)

The Vault Transit Secrets Engine is designed for cryptographic operations like encrypting and decrypting data. Below are the steps to configure Vault to handle encryption and decryption using the my-encryption-key.

Step 1: Enable the Transit Secrets Engine

To enable the Transit Secrets Engine, you’ll use the Vault CLI. This engine is responsible for managing encryption keys and performing cryptographic operations like encrypting and decrypting data.

vault secrets enable transit
 

This command enables the Transit Secrets Engine at the default path, transit/. If you want to enable it at a custom path, you can specify that with the -path flag, but for simplicity, we’ll stick with the default.

Step 2: Create an Encryption Key

After enabling the Transit engine, the next step is to create an encryption key named my-encryption-key. This key will be used by the Spring Boot application to encrypt and decrypt data.

vault write -f transit/keys/my-encryption-key
 

This command creates a named encryption key (my-encryption-key) under the Transit engine. By default, the key is generated with 256-bit AES-GCM encryption. You can customize the key type by specifying additional parameters if needed.

Step 3: Configure Key Permissions

To make sure the key is usable for both encryption and decryption, you need to configure the appropriate permissions. Vault handles key management and automatically tracks how the key is used.

  • Enable Encryption: The key is ready to encrypt data once created.
  • Enable Decryption: By default, Vault enables both encryption and decryption.

You can verify the key’s status and configuration with:

vault read transit/keys/my-encryption-key

 

Step 4: Use the Key for Encryption and Decryption

Encrypt Data

To encrypt data using the my-encryption-key:

curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data '{"plaintext": "VGhpcyBpcyBhIHNlY3JldCBtZXNzYWdl"}' \ https://192.168.101.1:8200/v1/transit/encrypt/my-encryption-key
 

In the above request:

  • The plaintext is the base64-encoded data you want to encrypt (VGhpcyBpcyBhIHNlY3JldCBtZXNzYWdl is "This is a secret message" in Base64).
  • The Vault server responds with a ciphertext string.

Decrypt Data

To decrypt the data using the same key:


curl --header "X-Vault-Token: $VAULT_TOKEN" \ --request POST \ --data '{"ciphertext": "vault:v1:i8NjUu..."}' \ https://192.168.101.1:8200/v1/transit/decrypt/my-encryption-key
 

In the above request:

  • The ciphertext is the encrypted string returned by Vault during the encryption step.

Step 5: Implement Vault Encryption and Decryption in Spring Boot

Once the Vault server is configured, you can integrate the encryption and decryption in your Spring Boot application. Here's the Java code (previously provided) for encrypting and decrypting data:



import org.springframework.beans.factory.annotation.Autowired; import org.springframework.stereotype.Service; import org.springframework.web.client.RestTemplate; import org.springframework.http.ResponseEntity; import org.springframework.web.client.HttpClientErrorException; import java.util.Base64; import java.util.HashMap; import java.util.Map; @Service public class VaultEncryptionService { @Autowired private RestTemplate restTemplate; private static final String VAULT_TRANSIT_ENCRYPT_URL = "https://192.168.101.1:8200/v1/transit/encrypt/my-encryption-key"; private static final String VAULT_TRANSIT_DECRYPT_URL = "https://192.168.101.1:8200/v1/transit/decrypt/my-encryption-key"; // Encrypt Data public String encryptData(String plaintext) { Map<String, String> requestBody = new HashMap<>(); requestBody.put("plaintext", Base64.getEncoder().encodeToString(plaintext.getBytes())); try { ResponseEntity<Map<String, Object>> response = restTemplate.postForEntity( VAULT_TRANSIT_ENCRYPT_URL, requestBody, Map.class); if (response.getBody() != null && response.getBody().containsKey("ciphertext")) { return (String) response.getBody().get("ciphertext"); } else { throw new RuntimeException("Encryption failed: no ciphertext returned"); } } catch (HttpClientErrorException e) { throw new RuntimeException("Error during encryption request: " + e.getResponseBodyAsString(), e); } } // Decrypt Data public String decryptData(String ciphertext) { Map<String, String> requestBody = new HashMap<>(); requestBody.put("ciphertext", ciphertext); try { ResponseEntity<Map<String, Object>> response = restTemplate.postForEntity( VAULT_TRANSIT_DECRYPT_URL, requestBody, Map.class); if (response.getBody() != null && response.getBody().containsKey("plaintext")) { String base64Decrypted = (String) response.getBody().get("plaintext"); return new String(Base64.getDecoder().decode(base64Decrypted)); } else { throw new RuntimeException("Decryption failed: no plaintext returned"); } } catch (HttpClientErrorException e) { throw new RuntimeException("Error during decryption request: " + e.getResponseBodyAsString(), e); } } }

Handling the Vault Token in Spring Boot

The VAULT_TOKEN is a key part of the authentication process between your Spring Boot application and HashiCorp Vault. Vault tokens can be injected into your Spring Boot application through environment variables, making the token available at runtime without hardcoding it in your configuration files, which improves security.
Step 1: Set Up Vault Token Management
There are two primary methods to handle the VAULT_TOKEN securely:
Using the Vault Agent with Auto-Auth: The Vault Agent authenticates with Vault and automatically injects the token into the environment.
Manually Setting the Environment Variable: The token can be exported as an environment variable during deployment.

1. Using Vault Agent for Token Management
The Vault Agent can be configured to automatically authenticate using AppRole (or another method) and manage the token lifecycle, including automatic renewal and caching. The Vault Agent will fetch a Vault token and inject it into the environment, making it available to your Spring Boot application.

Here’s how to configure the Vault Agent for automatic token injection:

Vault Agent Configuration:		


		
auto_auth {
  method "approle" {
    mount_path = "auth/approle"
    config = {
      role_id_file_path   = "/etc/vault/role_id"
      secret_id_file_path = "/etc/vault/secret_id"
    }
  }
}

cache {
  use_auto_auth_token = true
}

listener "tcp" {
  address     = "127.0.0.1:8200"
  tls_disable = true
}

vault {
  address    = "https://192.168.101.1:8200"
  token_file = "/etc/vault/token"
}

In this configuration: The Vault Agent authenticates using AppRole with the role_id and secret_id files.
The token_file parameter points to where the token will be stored after successful authentication (/etc/vault/token).
The token is cached and renewed automatically, ensuring it’s always available without manual intervention.

Injecting the Token into Spring Boot:

Once the Vault Agent retrieves the token and writes it to the token_file, you can configure Spring Boot to read the token from this file or directly from the environment:

export VAULT_TOKEN=$(cat /etc/vault/token)

This makes the VAULT_TOKEN available as an environment variable.

2. Manually Setting the Vault Token as an Environment Variable

You can also export the Vault token directly as an environment variable when deploying your application. For example, in your CI/CD pipeline or server deployment script:

export VAULT_TOKEN="s.YOUR_VAULT_TOKEN"

This way, the token is securely passed to the Spring Boot application during startup.

Step 2: Injecting the VAULT_TOKEN into Spring Boot Properties

In your Spring Boot application, you can reference the VAULT_TOKEN environment variable inside your application.yml or application.properties file:

spring: cloud: vault: uri: https://192.168.101.1:8200 authentication: APPROLE token: ${VAULT_TOKEN}

Spring Boot will automatically resolve the ${VAULT_TOKEN} placeholder by reading the value from the environment variable that was exported during deployment or managed by the Vault Agent.

Step 3: Testing the Configuration

To verify that the VAULT_TOKEN is properly injected into the application, you can test by running:

echo $VAULT_TOKEN

If the token is set correctly, it will print the token string, and Spring Boot will use it to authenticate with Vault.

Handling Token Renewal and Expiration

If using the Vault Agent, the token is automatically renewed before expiration, thanks to the auto-auth and cache mechanisms. If you’re managing the token manually, ensure that the token is regularly renewed by your CI/CD or deployment process, as Vault tokens have a time-to-live (TTL).

Challenges and Considerations in Production: 

1. Latency: There could be a slight increase in latency if the app fetches secrets frequently from Vault. To mitigate this, caching secrets locally within the application or using Vault’s built-in caching mechanisms can help. 
2. Vault Availability: In production environments, ensuring that Vault is highly available is critical. You can deploy Vault in a highly available mode with Consul or use Vault’s Raft storage to ensure continuous availability. 
3. Security Configurations: TLS must be configured for communication between the Spring Boot application and Vault, especially in production. Also, using AppRole or Kubernetes authentication methods can provide more secure ways to authenticate applications without embedding static tokens in the application.

Conclusion

Integrating HashiCorp Vault with Spring Boot ensures secure and centralized secrets management in production environments. By using Vault's dynamic credential generation and encryption capabilities, developers can reduce the risk of exposing sensitive data while enhancing the security of their applications.

References

About Me

I am passionate about IT technologies. If you’re interested in learning more or staying updated with my latest articles, feel free to connect with me on:

LinkedIn
Instagram
Personal Website

Feel free to reach out through any of these platforms if you have any questions!

I am excited to hear your thoughts! 👇


Location: Roma RM, Italia

Comments

Post a Comment

Popular posts from this blog

Monitoring and Logging with Prometheus: A Practical Guide

Image
Monitoring and logging are critical components of any robust IT infrastructure. They ensure that systems run smoothly, issues are detected early, and performance is optimized. Prometheus has emerged as a popular tool for these tasks, offering powerful features for metrics collection, querying, and alerting. In this guide, we'll explore how to effectively use Prometheus for monitoring and logging, providing a practical, hands-on approach to get you started. Key topics include Prometheus architecture, installation, setup, metric collection, alerting, and integration with other tools. If you find yourself curious about who is utilizing Prometheus globally, here is a brief list of some notable companies that have adopted Prometheus for their needs: JPMorgan, Dice, Garfana Labs, Visa,  more ... What is Prometheus? Understanding the Basics Prometheus is an open-source monitoring and alerting toolkit designed specifically for reliability and scalability. Originally developed at SoundCloud...
Read more

Creating a Complete CRUD API with Spring Boot 3: Authentication, Authorization, and Testing

Image
In this article, I will explore how to create a complete application that implements a CRUD API using Spring Boot 3. I will perform Create, Read, Update, and Delete operations on a database, implement authentication and authorization with JSON Web Token (JWT), and develop a REST API for managing orders in an e-commerce system. Finally, I will test the API using JUnit. Table of Contents Technologies Used Client-Server Interactions for Order Retrieval Creating a CRUD API Project Setup Structuring the Project Database Configuration Creating Entity and Repository Implementing Service and Controller Authentication and Authorization with JWT Configuring Spring Security Creating JWT Tokens Implementing the Login Endpoint Swagger setup Testing APIs with JUnit Testing the Service Testing the Controller Running Tests with Maven Testing Authentication Testing Order Retrieval with Authentication Advanced Topics and Best Practices Conclusion References Te...
Read more

Why Upgrade to Spring Boot 3.4.5: Performance, Security, and Cloud‑Native Benefits

Image
Spring Boot 3.4.5 is the latest release packed with performance optimizations, enhanced security features, and cloud-native improvements that make it a compelling upgrade for modern Java applications. Spring Boot 3.4.5 (released April 2025) is the newest stable version in the 3.x line, and it offers numerous advantages over earlier Spring Boot releases. Whether you're a seasoned Java developer or part of a DevOps team, this version brings tangible benefits in performance, security, and cloud-native support. In this article, we'll explore the key reasons to use Spring Boot 3.4.5, highlight its notable new features, and compare improvements against previous 3.x versions – all with clear, technically accurate explanations. We’ll also point to official documentation and changelogs for reference. Key Advantages of Spring Boot 3.4.5 Spring Boot 3.4.5 builds upon the foundation of Spring Boot 3.x (which introduced Java 17+, Jakarta EE 10, and AOT support) and delivers refinements that...
Read more