MGS Vault (Based on Open Source HashiCorp Vault)

MGS Vault or Open source HashiCorp Vault 1.12.2 or higher.

Azure Key Vault

Introducing Azure Key Vault, a robust platform for streamlined cryptographic key management.

Azure Key Vault, developed by Microsoft, is a vital tool for businesses and individuals needing to securely manage their cryptographic keys and other sensitive information. The service is especially adept at handling secrets used in cloud applications and services. It stands out for its seamless integration with various Azure services, supporting a broad spectrum of key types and algorithms. Its primary role is to safeguard cryptographic keys and secrets, crucial for maintaining security in cloud-based environments.

This makes Azure Key Vault particularly valuable for organizations in sectors like emissions reporting, carbon offset, and renewable energy credit creation. By integrating Azure Key Vault into their system, businesses can enhance their security posture, ensuring that their sensitive data, such as user account secrets and private keys, are stored in a highly secure, cloud-based environment. This aligns with the overarching goals of the Managed Guardian Service (MGS) to provide hassle-free management of technological infrastructure, allowing organizations to focus on their core activities without compromising on security and compliance.

Azure Key Vault is a forward-thinking addition to the MGS ecosystem, aligning with its roadmap of integrating with popular and reliable vault solutions, and is set to be a key player in the safekeeping of digital assets in the evolving world of emissions reporting and environmental asset management.

Once registered for the Managed Guardian Service, users will need to configure their profiles. These instructions will help users set up Azure Key Vault.

Once registered for the Managed Guardian Service, users will need to configure their profiles. These instructions will help users set up the Google Cloud Platform Secret Manager.

Introducing the Managed Guardian Service Vault.

Secure self-custody with the peace of mind you deserve.

The Managed Guardian Service Vault is designed to benefit organizations and individuals looking to securely store their user account secrets, such as private keys. The Vault solution leverages the open-source version of Hashicorp Vault and is intended to be used with the Managed Guardian Service. Keep in mind, that MGS has on its roadmap, integrations with many other popular vaults, so requests are welcome. The Managed Guardian Service (MGS) is a Software as a Service for businesses that are developing apps for emissions reporting, carbon offset, and renewable energy credit creation. MGS makes managing technological infrastructure hassle-free, allowing businesses to concentrate on their core activities.

In this example, we will demonstrate the MGS Vault using the open-source Hashicorp vault. Once the Vault is deployed to the cloud of your choice, you can access the Vault's user interface by opening your web browser and navigating to the Vault's U.R.L.

First, you'll need to initialize the vault. If this is the first time you're using the Vault, you'll need to initialize it by setting the number of key shares and key threshold. Key shares are the total number of parts the master key is split into, while the key threshold is the minimum number of parts required to unseal the Vault. For example, you can set key shares to 5 and the key threshold to 3. Click on the "Initialize" button on the welcome page.

Next, you need to download the unseal keys and the initial root token. After initializing the Vault, you'll be provided with a set of unseal keys and an initial root token. Make sure to securely store this information, as it's required to unseal and authenticate with the Vault.

After that step, You'll need to unseal the vault. You'll need to provide the required number of unseal keys, matching the key threshold, to unseal the Vault. Click on "Continue to Unseal" and enter the unseal keys one by one.

Now, you can log into your vault. Once the Vault is unsealed, you'll be redirected to the login page. Select the Token method of authentication and enter the initial root token you saved earlier and click "Sign In."

Once logged in, you should create a secret engine. Now that you're logged in, click on the "Enable new engine" button on the right side of the screen.

Select generic K.V. type, and click next.

Enter a path for the secret engine, and make note of it. You will need to provide it later during the MGS setup. Keep Maximum number of versions 0 as defaulted. Click on Enable Engine.

Once you have a secret engine, you can create a "secret." Select your newly created Secret engine. After creating the secret engine, you will be automatically redirected to this page.

To create a new secret, click the "Create secret" button.

You'll be asked to provide a path for the secret, you will also need this path during the MGS user profile setup. In the “Secret data” section put “privateKey” in the “key” field, and your "private key" in the value field. Click the “Save” button.

Once registered for the Managed Guardian Service, users will need to configure their profiles. They may choose to bring their own compatible vault or use the MGS vault solution we deployed across all major cloud provider Marketplaces. Examples of those marketplaces include the Microsoft Azure Marketplace, Google Cloud Platform Marketplace, and AWS Marketplace.

See below for the marketplaces where you can get the MGS Vault for free (only pay for the VM consumption).

Azure Marketplace: MGS Vault

1. Register a new user on MGS. When it’s done, you’ll be redirected to the Finish Setup page to finalize your user profile. To proceed with GCP Secrets as your Vault solution, please select the “GCP Secrets” option in the available vaults list and click the “Next” button.

1. Enter an appropriate data into the fields:

• Project Id – Project number from the step 2.

• Client Email – Service account ID from the step 6.

• Account Private Key – Private key from the JSON (step 10).

• Secret path prefix – prefix to be added to the beginning of the key name (in case one vault is used for many accounts).

1. On the next step, enter your Hedera Account and Name of the secret that was added to GCP Secrets, click Next to finalize the setup process.

1. Login to your Google Cloud Platform.

2. Go to the GCP Console home page - . Save the Project number for future usage.

3. Click on 'Go to project settings'.

First, Log into your tenant using your Username, Password and Tenant ID.

After login ,click the “Next” button and then fill out the following form fields:

• Endpoint. This is your Vault server IP address.

• Access Token. This is your Vault access token. For example, this is the token you get during the vault unsealing we discussed earlier.

Introducing Google Cloud Platform (GCP) Secret Manager, an essential addition to the Managed Guardian Service (MGS).

Google Cloud Platform's Secret Manager offers a secure and efficient solution for managing sensitive information, including API keys, passwords, certificates, and other confidential data. This service is a key component of GCP's suite of cloud computing services, designed to provide high security and easy manageability. GCP Secret Manager is particularly advantageous for organizations dealing with large volumes of sensitive data that need to be securely stored and accessed, making it a crucial tool for businesses engaged in emissions reporting, carbon offset, and renewable energy credit creation.

The integration of GCP Secret Manager into MGS signifies a significant step forward in enhancing data security for our users. It aligns with the ongoing commitment of MGS to provide robust, scalable, and secure cloud-based solutions, empowering businesses to focus on their core operations while ensuring the safety and confidentiality of their critical digital assets. With GCP Secret Manager, MGS users can expect a streamlined experience in managing their private keys and other sensitive information, backed by the reliability and innovative technology of Google Cloud Platform.

1. Go to your Azure Homepage (Home - Microsoft Azure)

2. In the search field type App Registration, or follow this link https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade

1. Add a new App and name it, to be able to identify it in the future e.g. “MGS Azure Key Vault”.

1. Save the Application (client) ID and Directory (tenant) ID for future usage.

1. Go to Certificates & secrets -> Client Secrets.

1. Click on New client secret, fill in the fields, create, and copy the created secret Value for future usage.

• For the Name field, enter a unique identifier for your secret (for example: hedera-operator-key). You will use this secret name as the “Operator Key Vault Secret” (Secret Id) when configuring the Guardian application.

• For the Value field, enter your private key in the following JSON format:

  Replace YOUR_KEY with your actual Hedera private key, copied from HashPack.

• Click

1. Go back to you Azure home page, click on Create a resource

1. Search for Key Vault and click Create.

1. Fill in the required fields and click Review + Create

1. From the Azure home page go to your newly created keyvault -> Access Configuration and select Vault access policy. Click Apply to save changes.

1. Click Go to access policies and then click Create

1. In the Create an access policy dialog, check marks for secret management as bellow, click next

1. In the Principal dialog find and select you App from step 3 (either by name or by client ID), click next.

1. On Application (Optional) Dialog click next, And on the Review and Create dialog click Create.

1. Register a new user on MGS. When it’s created, you’ll be redirected to the Finish Setup page to finalize your user profile. To proceed with the Azure Key Vault as your Vault solution, please select the “Azure Key Vault” option in the available vaults list and click Next.

1. Enter the appropriate data into the fields:

• Vault Name – Key vault name from the step 9.

• Tenant Id – Directory (tenant) ID from the step 4.

• Client Id – Application (client) ID from the step 4.

• Client Secret – Secret Value from the step 6.

• Prefix for secrets – prefix to be added to the beginning of the key name (in case one vault is used for many accounts).

1. On the next step, enter your Hedera Account and Name of the secret that was added to the Azure Key Vault, click Next to finalize the setup process.