2015-04-10 06:31:26 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: Secrets Engines
|
|
|
|
description: Secrets engines are mountable engines that store or generate secrets in Vault.
|
2015-04-10 06:31:26 +00:00
|
|
|
---
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
# Secrets Engines
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
Secrets engines are components which store, generate, or encrypt data. Secrets
|
|
|
|
engines are incredibly flexible, so it is easiest to think about them in terms
|
2021-02-23 15:17:44 +00:00
|
|
|
of their function. Secrets engines are provided some set of data, they take some
|
2017-09-20 20:05:00 +00:00
|
|
|
action on that data, and they return a result.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
Some secrets engines simply store and read data - like encrypted
|
|
|
|
Redis/Memcached. Other secrets engines connect to other services and generate
|
|
|
|
dynamic credentials on demand. Other secrets engines provide encryption as a
|
|
|
|
service, totp generation, certificates, and much more.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2022-08-17 16:57:47 +00:00
|
|
|
Secrets engines are enabled at a **path** in Vault. When a request comes to
|
|
|
|
Vault, the router automatically routes anything with the route prefix to the
|
|
|
|
secrets engine. In this way, each secrets engine defines its own paths and
|
|
|
|
properties. To the user, secrets engines behave similar to a virtual filesystem,
|
|
|
|
supporting operations like read, write, and delete.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
## Secrets Engines Lifecycle
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
Most secrets engines can be enabled, disabled, tuned, and moved via the CLI or
|
2022-08-17 16:57:47 +00:00
|
|
|
API.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2023-01-26 00:12:15 +00:00
|
|
|
- [Enable](/vault/docs/commands/secrets/enable) - This enables a secrets engine at
|
2022-08-17 16:57:47 +00:00
|
|
|
a given path. With a few exceptions, secrets engines can be enabled at multiple
|
|
|
|
paths. Each secrets engine is isolated to its path. By default, they are
|
|
|
|
enabled at their "type" (e.g. "aws" enables at `aws/`).
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2022-08-17 16:57:47 +00:00
|
|
|
!> **Case-sensitive:** The path where you enable secrets engines is case-sensitive. For
|
|
|
|
example, the KV secrets engine enabled at `kv/` and `KV/` are treated as two
|
|
|
|
distinct instances of KV secrets engine.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2023-01-26 00:12:15 +00:00
|
|
|
- [Disable](/vault/docs/commands/secrets/disable) - This disables an existing
|
2022-08-17 16:57:47 +00:00
|
|
|
secrets engine. When a secrets engine is disabled, all of its secrets are
|
|
|
|
revoked (if they support it), and all the data stored for that engine in
|
|
|
|
the physical storage layer is deleted.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2023-01-26 00:12:15 +00:00
|
|
|
- [Move](/vault/docs/commands/secrets/move) - This moves the path for an existing
|
2022-08-17 16:57:47 +00:00
|
|
|
secrets engine. This process revokes all secrets, since secret leases are tied
|
|
|
|
to the path where they were created. The configuration data stored for the engine
|
|
|
|
persists through the move.
|
|
|
|
|
2023-01-26 00:12:15 +00:00
|
|
|
- [Tune](/vault/docs/commands/secrets/tune) - This tunes global configuration for
|
2022-08-17 16:57:47 +00:00
|
|
|
the secrets engine such as the TTLs.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
Once a secrets engine is enabled, you can interact with it directly at its path
|
|
|
|
according to its own API. Use `vault path-help` to determine the paths it
|
|
|
|
responds to.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-11-06 20:29:09 +00:00
|
|
|
Note that mount points cannot conflict with each other in Vault. There are
|
|
|
|
two broad implications of this fact. The first is that you cannot have
|
|
|
|
a mount which is prefixed with an existing mount. The second is that you
|
|
|
|
cannot create a mount point that is named as a prefix of an existing mount.
|
|
|
|
As an example, the mounts `foo/bar` and `foo/baz` can peacefully coexist
|
|
|
|
with each other whereas `foo` and `foo/baz` cannot
|
2018-01-03 19:02:31 +00:00
|
|
|
|
2015-04-10 06:31:26 +00:00
|
|
|
## Barrier View
|
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
Secrets engines receive a _barrier view_ to the configured Vault physical
|
|
|
|
storage. This is a lot like a [chroot](https://en.wikipedia.org/wiki/Chroot).
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
When a secrets engine is enabled, a random UUID is generated. This becomes the
|
|
|
|
data root for that engine. Whenever that engine writes to the physical storage
|
|
|
|
layer, it is prefixed with that UUID folder. Since the Vault storage layer
|
2020-06-08 15:17:26 +00:00
|
|
|
doesn't support relative access (such as `../`), this makes it impossible for an
|
2017-09-20 20:05:00 +00:00
|
|
|
enabled secrets engine to access other data.
|
2015-04-10 06:31:26 +00:00
|
|
|
|
2017-09-20 20:05:00 +00:00
|
|
|
This is an important security feature in Vault - even a malicious engine
|
|
|
|
cannot access the data from any other engine.
|