Vault

Introduction

Vault is a microservice that provides an encrypted key value store. Only the a Waylay user with the Admin role can read, write or update parameter values. If you are a Waylay Admin, you can access the Vault service via the ‘User Profile’ tile.

vault

Vault uses a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit initialization vectors. The initialization vector is randomly generated for every encrypted object. When data is read the GCM authentication tag is verified during the decryption process to detect any tampering.

Note: you can of course also store your parameters in Global Settings (accessible via the same ‘User Profile’ tile), which is also a key/value store, but those parameter values are visble to anyone that has an account on the Waylay platform.

Using Vault settings in sensors and actuators

When you as a sensor developer, want to use a particular Vault parameter and value in the code of your sensor, you can use the following function to access a particular key:

async function getKeyFromVault() {
    return waylay.vault.get("Private_Mandrill_Key")
        .then(res => {
            console.log(`Successfully got key from vault`)
            return res
        })
        .catch(err => {
            console.error(`Failed to get key from vault`, err)
            throw err
        })
}

async function start() {
    const key = await getKeyFromVault()
    return key
}

start().then(foundKey => {
  //here we put some code to do something useful with the key
  
  const value = {
    observedState: 'done',
    rawData: {
      message: "we did something useful"
    }
  }
  send(null, value);
})

In the above example ‘Private_Mandrill_Key’ would be the key that is stored in Vault. Note that the waylay.vault.get function returns a promise. Therefore you should wrap this call in an async function.

Accessing Vault via the Waylay API

A Waylay user with the Admin role, can access Vault via the Waylay API. More information can be found here: Vault API