What are good practices when using Vault to secure a containerized Django application?
I need help with a school project;
I have a Django app and a Vault server in separate containers (database and other things too, but they are not important here).
I am struggling to understand what should and should not be done when using Vault to ensure my app's security. It's also worth mentioning that the entire project needs to be compiled and ready to use with a single 'make' command, so Vault's initialization, key storage, unsealing, etc., must be handled in scripts.
- Where should I store Vault's token and root key once initialized? Storing them in plain text files doesn't seem secure, but I'm not sure of other options. Same with the TLS certificates and keys.
- When is Vault supposed to be sealed? Should Vault be unsealed and then sealed again with each request? Or should Vault remain unsealed as long as the app is running? But in that case, sealing it seems pointless.
- Is storing keys on the host machine and passing them to containers via environment variables a secure approach?
Sorry if these questions seem basic, but this project is a big deal, and I want it to be secure.
Thanks!