• Created by Hashicorp (e.g. Vagrant)
  • Tool for managing secrets and storing them encrypted. It controls access to tokens, passwords, certificates, API keys etc - things that would normally not be checked into a source control system.
  • It can handle all aspects of sensitive information - generation, storage, usage and revocation.


  • Vault is a go application with a REST/CLI interface
  • CLI uses vault binary with subcommands (similar to git)
  • REST API uses GET/POST/DELETE passing the token with the header X-Vault-Token.
  • Can use Ansible to make REST requests to Vault and do something with the output


  • Can store existing secrests or can dynamically generate new secrets to control access to third party resources or provide time limited access.
  • write and read secrets from the vault.
  • Can use short-lived secrets thus limiting "window of opportunity" to use stolen secrets.


  • Handles leasing, key revocation, key rolling and auditing.
  • Access control policies control who can access what.
  • Keys can be rolled to new versions while retaining ability to decrypt older secrets.
  • Audit logs track all authenticated client interaction. These logs can be sent to multiple backends for further processing.


  • Can use tokens - strings sent as a header on every http request
  • Initial install creates a root token - similar to root user, we need to be careful using this. Should create other limited users for normal use.
  • token-create creates a new token.
  • Can also authenticate using LDAP, JW, TLS among others.
  • Tokens form a hierarchy and each child can only have at most same level of privileges as the parent
  • Invalidating a token also invalidates the children tokens.
  • Tokens have properties
    • Policies
    • TTL
    • Can be renewed?
    • Maximum usage count

Backends/Secret Engines

  • Vault has a few backends. These are virtual file systems with some logic
  • For example, AWS backend will create IAM credentials on demand - dynamic secrets.
  • Persistence backend provides storage for all secrets.

Secret Types

  • Vault supports a range of secret types e.g. key-value, crypto keys, dynamically created
  • Each type has a mount point (REST API prefix), set of operations and configuration parameters

Key-Value Secrets

  • key-value pairs available under the given path
  • Can have versioning on the values (non versioned updates replace existing value)

Dynamically Generated Secrets

  • Generated on the fly whenever requested by an application.
  • For example, Database credentials, SSH Key Pairs, X509 Certificates, AWS Credentials, Google Service accounts, Active Directory accounts.
  • We provide credentials to connect to the service and a role to create the new user & grant relevant permissions
  • Can expire credentials based on time and renew based on customer request and backend support.


  • Vault doesn't store the master key in the main server so can't access data by default - in sealed state.
  • Can unseal with the master key and then the Vault will be available to accept API requests.
  • On initialisation Vault displays master share values (and never again). To unseal we must enter three of these.


results matching ""

    No results matching ""