Hashicorp Vault : Secrets Engine

In the last articles , I explained about how to install vault and create secrets , now I am going to cover in detail , what secret engines are ?

  • Secret engines are components which store,generate or encrypt data.

  • You can store secret based on a specific secret engine and each offers certain features.

  • There are multiple secret engines that are available. Examples are as below

  1. AWS

  2. Active Directory

  3. Databases

  4. Key/Value

  5. SSH

  6. Azure

A secret engine is enabled at a given path.once enabled, the secrets are stored inside that path.

Secret Engine Life cycle

Most secret engines can be enabled,tuned and moved via CLI/API

Enable : This enables secret engine at a given path . By default they are enabled at their "type"(e.g. aws enables at /aws)

Disable : This disables an existing secrets engine. When a secrets engine is disabled, all its secrets are revoked.

Move: This moves the path for an existing secrets engine

Let me start with the simple type of secret engine that is KV(Key/Value) type

It is used to store the arbitrary secrets within the configured physical storage for vault.

Key names must always be strings.

Login to the console and enable the engine

The engine is configured. Now under the "Secrets Engine", newly created engine will be visible.

All these steps were done via the GUI, here is what you need to execute to do the same thing with CLI

vault secrets enable -version=2 -path=mykvpath kv
vault secrets disable mykvpath/

This was the high level overview about vault secrets engine. In the next article I am going to discuss about Dynamic Secrets

367 views0 comments

Recent Posts

See All