Vagrant
Security
Sharing your Vagrant environment understandably raises a number of security concerns.
The primary security mechanism for Vagrant Share is security through obscurity along with an encryption key for SSH. Additionally, there are several configuration options made available to help control access and manage security:
--disable-http
will not create a publicly accessible HTTP URL. When this is set, the only way to access the share is withvagrant connect
.
In addition to these options, there are other features we've built to help:
Vagrant share uses end-to-end TLS for non-HTTP connections. So even unencrypted TCP streams are encrypted through the various proxies and only unencrypted during the final local communication between the local proxy and the Vagrant environment.
SSH keys are encrypted by default, using a password that is not transmitted to our servers or across the network at all.
SSH is not shared by default, it must explicitly be shared with the
--ssh
flag.
Most importantly, you must understand that by running vagrant share
,
you are making your Vagrant environment accessible by anyone who knows
the share name. When share is not running, it is not accessible.