One of the core features of Vault is the ability to read and write arbitrary secrets securely. Secrets written to Vault are encrypted and then written to the backend storage. Therefore, the backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault.
NOTE: This step assumes that you created and connected to the HCP Vault cluster in the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) step.
You will enable key/value v2 secrets
secret/ path in
admin namespace. Secrets engines are tied to their namespace. Therefore, the
secrets you create in the
admin namespace are not accessible from other
In the Vault UI, set the current namespace to
Select the Secrets tab in the Vault UI.
Click Enable new engine.
Select KV from the list, and then click Next.
secretin the Path field.
Click Enable Engine to complete.
Select Create secret. Enter
test/webappin the Path for this secret field.
Under the Secret data section, enter
api-keyin the key field, and
ABC0DEFG9876in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.
This tutorial gave you a brief introduction to the key/value v2 secrets engine. To understand the features it provides, follow the Versioned Key/Value Secrets Engine tutorial. The tutorial is written for a self-managed Vault OSS server. The only difference is that you must set the target namespace when you follow the instruction.
The next step is to go through an introduction to Vault policies.