Vault
Create and store secrets in HCP Vault Dedicated
One of the core features of Vault is the ability to read and write arbitrary secrets securely. Vault encrypts secrets when written to the backend storage. Therefore, the backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault.
HashiCups wants to store application secrets such as API keys, passwords, and certificates in HCP Vault Dedicated. In this tutorial, Oliver from HashiCups learns how to create and store secrets using the Key/Value (K/V) secrets engine in HCP Vault Dedicated.
Prerequisites
- Completed the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) tutorial.
- Completed the Access your HCP Vault Dedicated cluster tutorial.
Key/Value secrets engine
The Key/Value v2 secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault.
The Key/Value secrets engine has version 1 and 2. The difference is that v2 provides versioning of secrets, while v1 does not.
Use the vault kv <subcommand> [options]
[args] command to interact with
the K/V secrets engine.
Available subcommands:
| Subcommand | kv v1 | kv v2 | Description |
|---|---|---|---|
| delete | x | x | Delete versions of secrets stored in K/V |
| destroy | x | Permanently remove one or more versions of secrets | |
| enable-versioning | x | Turns on versioning for an existing K/V v1 store | |
| get | x | x | Retrieve data |
| list | x | x | List data or secrets |
| metadata | x | Interact with Vault's Key-Value storage | |
| patch | x | Update secrets without overwriting existing secrets | |
| put | x | x | Sets or updates secrets (this replaces existing secrets) |
| rollback | x | Rolls back to a previous version of secrets | |
| undelete | x | Restore the deleted version of secrets |
Enable secrets engine
(Persona: operations)
Before teams at HashiCups can write secrets to HCP Vault, Oliver must enable the
key/value v2 secrets engine. You enable a
secrets engine in a specific namespace. The secrets you create in the admin
namespace are not accessible from other namespaces by default.
In the Vault UI, set the current namespace to
admin/.
Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.
Enter
secretin the Path field.Click Enable Engine to complete.
Create secrets
(Persona: developer)
Now that Oliver has enabled the key/value v2 secrets engine, Danielle from the development team can create, store, and retrieve secrets from HCP Vault.
Click Create secret. Enter
test/webappin the Path for this secret field.Under the Secret data section, enter
api-keyin the key field, andABC0DEFG9876in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.
Click Save.
Click the masked input toggle button to review the value for the
api-keykey.
Summary
In this tutorial Oliver enabled one of Vault's secrets engines, giving you an introduction to the key/value v2 secrets engine. After Oliver enables the secrets engine, Danielle from the development team creates and stores secrets in HCP Vault. To learn more about the K/V secrets engine, follow the Versioned Key/Value Secrets Engine tutorial.
Next steps
Oliver enabled the key/value v2 secrets engine and Danielle created and stored secrets in HCP Vault. To fully take advantage of HCP Vault, following security best practices, Oliver needs to learn how to author policies to manage access to Vault resources.