Chapter 25. Storing Authentication Secrets with Vaults
- private SSH keys
- Storing personal secrets of a user
- See Section 25.4, “Storing a User's Personal Secret” for details.
- Storing a secret for a service
- See Section 25.5, “Storing a Service Secret in a Vault” for details.
- Storing a common secret used by multiple users
- See Section 25.6, “Storing a Common Secret for Multiple Users” for details.
25.1. How Vaults Work
25.1.1. Vault Owners, Members, and Administrators
- Vault owner
- A vault owner is a user or service with basic management privileges on the vault. For example, a vault owner can modify the properties of the vault or add new vault members.Each vault must have at least one owner. A vault can also have multiple owners.
- Vault member
- A vault member is a user or service who can access a vault created by another user or service.
- Vault administrator
- Vault administrators have unrestricted access to all vaults and are allowed to perform all vault operations.
NoteSymmetric and asymmetric vaults are protected with a password or key and apply special access control rules (see Section 25.1.2, “Standard, Symmetric, and Asymmetric Vaults”). The administrator must meet these rules to:
A vault administrator is any user with the
- access secrets in symmetric and asymmetric vaults
- change or reset the vault password or key
Vault Administratorsprivilege. See Section 10.4, “Defining Role-Based Access Controls” for information on defining user privileges.
ipa vault-showcommand, also displays
Vault userfor user vaults:
$ ipa vault-show my_vault Vault name: my_vault Type: standard Owner users: user Vault user: user
25.1.2. Standard, Symmetric, and Asymmetric Vaults
- Standard vault
- Vault owners and vault members can archive and retrieve the secrets without having to use a password or key.
- Symmetric vault
- Secrets in the vault are protected with a symmetric key. Vault members and vault owners can archive and retrieve the secrets, but they must provide the vault password.
- Asymmetric vault
- Secrets in the vault are protected with an asymmetric key. Users archive the secret using a public key and retrieve it using a private key. Vault members can only archive secrets, while vault owners can both archive and retrieve secrets.
25.1.4. Vault Containers
- User container: a private container for a user
- This container stores: user vaults for a particular user.
- Service container: a private container for a service
- This container stores: service vaults for a particular service.
- Shared container
- This container stores: vaults that can be shared by multiple users or services.