Secrets for applications and systems need to be centralized and static IP-based solutions don't scale in dynamic environments with frequently changing applications and machines.
Vault enables teams to securely store and tightly control access to tokens, passwords, certificates, and encryption keys for protecting machines, applications, and sensitive data. In addition, Vault can dynamically generate time-limited secrets to access databases, cloud resources, etc.
Secrets engines are Vault components which store, generate or encrypt data. They are incredibly flexible and pluggable.
The Secrets Management track introduces secrets engines.
Based on your organization's needs, refer to some or all of the guides provided on this track to get you started.
Read Static Secrets: Key/Value Secrets Engine to learn about the basic working of Key/Value secrets engine.
Read Versioned Key/Value Secrets Engine guide to learn about the additional features provided by the Versioned Key/Value secrets engine (K/V v2).
The Cubbyhole Response Wrapping wraps secrets so that you don't have to transmit secrets across the wire. Instead, you send a reference to the secrets.
The Secrets as a Service: Dynamic Secrets guide provides an introduction to the database secrets engine.
Continue reading the Database Root Credential Rotation guide which demonstrates an easy way to rotate the root database credentials.
If you want Vault to periodically rotate the password for existing database users (rather than creating new users), refer to the Database Static Roles and Credential Rotation guide.
Read the Vault Agent Caching guide to learn about running Vault Agent on the client machine to automatically manage the dynamically generated database credentials.
The Azure Secrets Engine secrets engine dynamically create and manage Microsoft Azure credentials for applications and systems to access Azure resources.
The Build Your Own Certificate Authority (CA) guide demonstrates the use of PKI secrets engine as an intermediate certificate authority.
The SSH Secrets Engine: One-Time SSH Password guide walks you through a usage example of the SSH secrets engine.
Key Management Interoprability Protocol (KMIP)
- Read the KMIP secrets engine guide to learn how you can leverage Vault as a KMIP server.
- Read Building Plugin Backends guide if you are interested in developing your own secrets engine to plug into your Vault server.