Improve Security with Liquibase and Hashicorp Vault

Security Matters

Security matters, especially in fast-paced Continuous Integration and Continuous Deployment environments enabled by Liquibase. Across a range of industries, from banking and finance, to insurance, spanning on-premise, cloud, or hybrid development styles, among the most secure methods to store and pass credentials is Hashicorp Vault. And, now, you can use them together with the Liquibase Hashicorp Vault extension, a fully supported and tested component of a sophisticated CICD process.

In this post, we’ll cover the basics of protecting database usernames, passwords, and other critical credentials by dropping the Liquibase Hashicorp Vault extension into your Liquibase workflow, as well as offer a few tips for this release of the extension.

Security Credentials and Liquibase

Liquibase helps you deploy changes to a range of database environments in automation. The best practice principles of separation of duties guide how usernames, passwords, and other sensitive properties are handled. When starting their DevOps journey, many users will store credentials in defaults files, or the slightly more secure Environment variables, but the most secure option is to use a secrets manager, or “vault”, such as the offering from Hashicorp.

Sensitive credentials are protected at rest in the vault and securely retrieved at runtime, their actual values unknown even to the user of the secret. In this way, the risks of unauthorized access are greatly reduced, especially if coupled with periodic credentials rotations.

Secure your CICD process with Liquibase Hashicorp Vault

Using the new extension is a simple 1-2-3 of Installation, Configuration, and Deployment

Installation

As with other Liquibase extensions, simply download the extension’s .jar file and place it in the proper file location, as detailed in the Docs, and summarized here:

• Maven users add the HashiCorp Vault extension as a dependency in your pom.xml file to download the JAR
• Liquibase package manager users simply run ‘lpm add hashicorp-vault’
• CLI users can retrieve the latest version directly from the liquibase-hashicorp-vault directory on Maven Central.

The .jar file is almost always placed in the liquibase/lib directory, although your specific configuration might vary.

Configuration

Liquibase is configured via properties, which can be set in a defaults file, (often called liquibase.properties), environment variables, on the CLI itself, and more. To configure a property to be retrieved from Hashicorp Vault is a simple string swap using this format:

property=hashicorp,<path/to/secret>,<secretname>

For example, for the URL property

liquibase.command.url=jdbc:h2:tcp://localhost:9090/mem:dev

becomes

liquibase.command.url=hashicorp,my/path/to/secrets,url

Or an environment variable example

LIQUBASE_USERNAME=”my_username” to

LIQUIBASE_USERNAME=”hashicorp,devteam/deploy/secrets,username”

Pro License required. This extension is gated by a Pro license, which you can also store in your Vault. To do this, you will simply need to configure the vault_addr and vault_token properties in a defaults file, environment variable, on the CLI or other non-vault location.

Deployment

Now you have the extension in place and have set up your properties to use it. Congrats, now the last step is the easiest:  

Just run Liquibase in your manual or automated jobs as you always have!

Liquibase will automatically connect to the vault, securely retrieve your credentials, and use them in your jobs.

Note

Important reminder for the initial early Dec 2022 release of the Liquibase Hashicorp Vault extension:

1. This release works with v1 of  Hashicorp Vaults
2. A version compatible with v2 is in development, with an estimated release date of late Dec 2022

Get started with the Hashicorp Vault extension

Remember, security is paramount to successful software development. Integrating the Liquibase Hashicorp Vault extension into your dev, QA, and production pipelines is an easy and effective way to increase protection for your sensitive credentials and properties.

Here are a few links to get you started:

• Get a Liquibase Pro trial license at https://www.liquibase.com/liquibase-pro
• Learn more about the extension, including links to download at https://docs.liquibase.com/tools-integrations/secrets-management/hashicorp-vault.html