Oct 19-21 HashiConf Global is live. Join Now

Secrets Management in Low Trust Networks

Centrally store, access, and deploy secrets across applications, systems, and infrastructure
Graphic — keys connecting with providers

The Challenge

Secrets for applications and systems need to be centralized and static IP-based solutions don't scale in dynamic environments with frequently changing applications and machines

Graphic — keys connecting with providers through vault

The Solution

Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity

Dan McTeer at HashiConf 2017
Adobe Logo

Using Vault to Protect Adobe's Secrets and User Data Across Clouds and Datacenters

Securing secrets and application data is a complex task for globally distributed organizations. For Adobe, managing secrets for over 20 products across 100,000 hosts, four regions, and trillions of transactions annually requires a different approach altogether.

Read Case Study

Secret Management Features

Vault UI with AWS config

Dynamic Secrets

Dynamically create, revoke, and rotate secrets programmatically.

$ cat vault.config
storage "consul" {
    address = ""
    path    = "vault"
listener "tcp" {
    address = ""
telemetry {
    statsite_address = ""
    disable_hostname = true
$ cat vault.configstorage "consul" {    address = ""    path    = "vault"}listener "tcp" {    address = ""}telemetry {    statsite_address = ""    disable_hostname = true}

Secret Storage

Encrypt data while at rest, in the storage backend of your choice.

MySQL logo
Cassandra logo
Oracle logo
Consul logo
AWS logo
MongoDB logo
PostgreSql logo
Microsoft SQL logo
ellipsis icon logo

Identity Plugins

Improve the extensibility of Vault with pluggable identity backends.

$ cat audit.log | jq {
    "time": "2018-08-27T13:17:11.609621226Z",
    "type": "response",
    "auth": {
        "client_token": "hmac-sha256:5c40f1e051ea75b83230a5bf16574090f697dfa22a78e437f12c1c9d226f45a5",
        "accessor": "hmac-sha256:f254a2d442f172f0b761c9fd028f599ad91861ed16ac3a1e8d96771fd920e862",
        "display_name": "token",
        "metadata": null,
        "entity_id": ""
$ cat audit.log | jq {    "time": "2018-08-27T13:17:11.609621226Z",    "type": "response",    "auth": {        "client_token": "hmac-sha256:5c40f1e051ea75b83230a5bf16574090f697dfa22a78e437f12c1c9d226f45a5",        "accessor": "hmac-sha256:f254a2d442f172f0b761c9fd028f599ad91861ed16ac3a1e8d96771fd920e862",        "display_name": "token",        "metadata": null,        "entity_id": ""    }}

Detailed Audit Logs

Detailed audit log of all client interaction (authentication, token creation, secret access & revocation).

$ vault read database/creds/readonly
Key             Value
---             -----
lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
lease_duration  1h0m0s
lease_renewable true
password        A1a-w2xv2zsq4r5ru940
username        v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
Key             Value
---             -----
lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
lease_duration  1h0m0s
lease_renewable true
$ vault lease revoke database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
$ vault read database/creds/readonlyKey             Value---             -----lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809lease_duration  1h0m0slease_renewable truepassword        A1a-w2xv2zsq4r5ru940username        v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434[...]$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809Key             Value---             -----lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809lease_duration  1h0m0slease_renewable true$ vault lease revoke database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809

Leasing & Revoking Secrets

Manage authorization and create time-based tokens for automatic revocation or manual revocation.

Ready to get started?

Explore Docs