Chapter 25. Storing Authentication Secrets with Vaults

A vault is a secure location for storing, retrieving, sharing, and recovering secrets. A secret is security-sensitive data that should only be accessible by a limited group of people or entities. For example, secrets include:
  • passwords
  • PINs
  • private SSH keys
Users and services can access the secrets stored in a vault from any machine enrolled in the Identity Management (IdM) domain.

Note

Vault is only available from the command line, not from the IdM web UI.
Use cases for vaults include:
Storing personal secrets of a user
Storing a secret for a service
Storing a common secret used by multiple users
Note that to use vaults, you must meet the conditions described in Section 25.2, “Prerequisites for Using Vaults”.

25.1. How Vaults Work

25.1.1. Vault Owners, Members, and Administrators

IdM distinguishes the following vault user types:
Vault owner
A vault owner is a user or service with basic management privileges on the vault. For example, a vault owner can modify the properties of the vault or add new vault members.
Each vault must have at least one owner. A vault can also have multiple owners.
Vault member
A vault member is a user or service who can access a vault created by another user or service.
Vault administrator
Vault administrators have unrestricted access to all vaults and are allowed to perform all vault operations.

Note

Symmetric and asymmetric vaults are protected with a password or key and apply special access control rules (see Section 25.1.2, “Standard, Symmetric, and Asymmetric Vaults”). The administrator must meet these rules to:
  • access secrets in symmetric and asymmetric vaults
  • change or reset the vault password or key
A vault administrator is any user with the Vault Administrators privilege. See Section 10.4, “Defining Role-Based Access Controls” for information on defining user privileges.
Certain owner and member privileges depend on the type of the vault. See Section 25.1.2, “Standard, Symmetric, and Asymmetric Vaults” for details.

Vault User

The output of some commands, such as the ipa vault-show command, also displays Vault user for user vaults:
$ ipa vault-show my_vault
  Vault name: my_vault
  Type: standard
  Owner users: user
  Vault user: user
The vault user represents the user in whose container the vault is located. For details on vault containers and user vaults, see Section 25.1.4, “Vault Containers” and Section 25.1.3, “User, Service, and Shared Vaults”.

25.1.2. Standard, Symmetric, and Asymmetric Vaults

The following vault types are based on the level of security and access control:
Standard vault
Vault owners and vault members can archive and retrieve the secrets without having to use a password or key.
Symmetric vault
Secrets in the vault are protected with a symmetric key. Vault members and vault owners can archive and retrieve the secrets, but they must provide the vault password.
Asymmetric vault
Secrets in the vault are protected with an asymmetric key. Users archive the secret using a public key and retrieve it using a private key. Vault members can only archive secrets, while vault owners can both archive and retrieve secrets.

25.1.3. User, Service, and Shared Vaults

The following vault types are based on ownership:
User vault: a private vault for a user
Owner: a single user.
Any user can own one or more user vaults.
Service vault: a private vault for a service
Owner: a single service.
Any service can own one or more service vaults.
Shared vault
Owner: the vault administrator who created the vault. Other vault administrators also have full access to the vault.
Shared vaults can be used by multiple users or services.

25.1.4. Vault Containers

A vault container is a collection of vaults.
IdM provides the following default vault containers:
User container: a private container for a user
This container stores: user vaults for a particular user.
Service container: a private container for a service
This container stores: service vaults for a particular service.
Shared container
This container stores: vaults that can be shared by multiple users or services.
IdM creates user and service containers for each user or service automatically when the first private vault for the user or service is created. After the user or service is deleted, IdM removes the container and its contents.