Vault
Create and store secrets in HCP Vault Dedicated
One of the core features of Vault is the ability to read and write arbitrary secrets securely. Vault encrypts secrets when written to the backend storage. Therefore, the backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault.
Note
This step assumes that you created and connected to the HCP Vault Dedicated cluster in the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) step.
Key/Value secrets engine
Key/Value v2 secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault.
Key/Value secrets engine has version 1 and 2. The difference is that v2 provides versioning of secrets and v1 does not.
Use the vault kv <subcommand> [options]
[args]
command to interact with
K/V secrets engine.
Available subcommands:
Subcommand | kv v1 | kv v2 | Description |
---|---|---|---|
delete | x | x | Delete versions of secrets stored in K/V |
destroy | x | Permanently remove one or more versions of secrets | |
enable-versioning | x | Turns on versioning for an existing K/V v1 store | |
get | x | x | Retrieve data |
list | x | x | List data or secrets |
metadata | x | Interact with Vault's Key-Value storage | |
patch | x | Update secrets without overwriting existing secrets | |
put | x | x | Sets or update secrets (this replaces existing secrets) |
rollback | x | Rolls back to a previous version of secrets | |
undelete | x | Restore the deleted version of secrets |
Enable secrets engine
First, enable key/value v2 secrets
engine at secret/
path in
the admin
namespace. Secrets engines are tied to their namespace. Therefore,
the secrets you create in the admin
namespace are not accessible from other
namespaces.
In the Vault UI, set the current namespace to
admin/
.Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.
Enter
secret
in the Path field.Click Enable Engine to complete.
Now that you have a secret engine enabled, you will create a new secret.
Create secrets
Now that you have enabled a secrets engine, in this scenario the key/value v2 secrets engine, you can store and retrieve secrets from HCP Vault Dedicated.
Click Create secret. Enter
test/webapp
in the Path for this secret field.Under the Secret data section, enter
api-key
in the key field, andABC0DEFG9876
in the value field. You can click on the sensitive information toggle to show or hide the entered secret values.Click Save.
Click the masked input toggle button to review the value for the
api-key
key.
This tutorial gave you a brief introduction to the key/value v2 secrets engine. To understand the features it provides, follow the Versioned Key/Value Secrets Engine tutorial.