open-vault/website/content/docs/secrets/cubbyhole.mdx

64 lines
1.9 KiB
Plaintext

---
layout: docs
page_title: Cubbyhole - Secrets Engines
description: >-
The cubbyhole secrets engine can store arbitrary secrets scoped to a single
token.
---
# Cubbyhole Secrets Engine
The `cubbyhole` secrets engine is used to store arbitrary secrets within the
configured physical storage for Vault namespaced to a token. In `cubbyhole`,
paths are scoped per token. No token can access another token's cubbyhole. When
the token expires, its cubbyhole is destroyed.
Also unlike the `kv` secrets engine, because the cubbyhole's lifetime is
linked to that of an authentication token, there is no concept of a TTL or
refresh interval for values contained in the token's cubbyhole.
Writing to a key in the `cubbyhole` secrets engine will completely replace the
old value.
## Setup
Most secrets engines must be configured in advance before they can perform their
functions. These steps are usually completed by an operator or configuration
management tool.
The `cubbyhole` secrets engine is enabled by default. It cannot be disabled,
moved, or enabled multiple times.
## Usage
After the secrets engine is configured and a user/machine has a Vault token with
the proper permission, it can generate credentials. The `cubbyhole` secrets
engine allows for writing keys with arbitrary values.
1. Write arbitrary data:
```text
$ vault write cubbyhole/my-secret my-value=s3cr3t
Success! Data written to: cubbyhole/my-secret
```
1. Read arbitrary data:
```text
$ vault read cubbyhole/my-secret
Key Value
--- -----
my-value s3cr3t
```
## Tutorial
Refer to the [Cubbyhole Response Wrapping](/vault/tutorials/secrets-management/cubbyhole-response-wrapping)
tutorial to learn how to securely distribute the initial token to the trusted entity.
## API
The Cubbyhole secrets engine has a full HTTP API. Please see the
[Cubbyhole secrets engine API](/vault/api-docs/secret/cubbyhole) for more
details.