¶ Initialization and Root Access
- Use Shamir key split with separation of duties for unseal shares.
- Revoke bootstrap root token and use controlled break-glass process.
- Enforce MFA and strong auth methods for admin access.
¶ Transport and Backend Security
- Require TLS 1.2+ with trusted certificates for all clients.
- Protect storage backend with encryption and strict network policy.
- Restrict Vault API and cluster traffic to private trusted networks.
¶ Auth Methods and Policies
- Use least-privilege policies with path-level constraints.
- Prefer short-lived dynamic secrets over long-lived static secrets.
- Rotate auth credentials and root/intermediate PKI material regularly.
¶ Monitoring and Compliance
- Enable at least one immutable audit device.
- Alert on failed auth bursts, policy changes, and unusual secret access.
- Patch Vault and validate upgrades in staging first.