Chapter 25. Storing Authentication Secrets with Vaults
A vault is a secure location for storing, retrieving, sharing, and recovering secrets. A secret is security-sensitive data that should only be accessible by a limited group of people or entities. For example, secrets include:
- private SSH keys
Users and services can access the secrets stored in a vault from any machine enrolled in the Identity Management (IdM) domain.
Vault is only available from the command line, not from the IdM web UI.
Use cases for vaults include:
- Storing personal secrets of a user
- See Section 25.4, “Storing a User's Personal Secret” for details.
- Storing a secret for a service
- See Section 25.5, “Storing a Service Secret in a Vault” for details.
- Storing a common secret used by multiple users
- See Section 25.6, “Storing a Common Secret for Multiple Users” for details.
Note that to use vaults, you must meet the conditions described in Section 25.2, “Prerequisites for Using Vaults”.
25.1. How Vaults Work
25.1.1. Vault Owners, Members, and Administrators
IdM distinguishes the following vault user types:
- Vault owner
- A vault owner is a user or service with basic management privileges on the vault. For example, a vault owner can modify the properties of the vault or add new vault members.Each vault must have at least one owner. A vault can also have multiple owners.
- Vault member
- A vault member is a user or service who can access a vault created by another user or service.
- Vault administrator
- Vault administrators have unrestricted access to all vaults and are allowed to perform all vault operations.NoteSymmetric and asymmetric vaults are protected with a password or key and apply special access control rules (see Section 25.1.2, “Standard, Symmetric, and Asymmetric Vaults”). The administrator must meet these rules to:
A vault administrator is any user with the
- access secrets in symmetric and asymmetric vaults
- change or reset the vault password or key
Vault Administratorsprivilege. See Section 10.4, “Defining Role-Based Access Controls” for information on defining user privileges.
Certain owner and member privileges depend on the type of the vault. See Section 25.1.2, “Standard, Symmetric, and Asymmetric Vaults” for details.
The output of some commands, such as the ipa vault-show command, also displays
Vault userfor user vaults:
$ ipa vault-show my_vault Vault name: my_vault Type: standard Owner users: user Vault user: user
The vault user represents the user in whose container the vault is located. For details on vault containers and user vaults, see Section 25.1.4, “The Different Types of Vault Containers” and Section 25.1.3, “User, Service, and Shared Vaults”.
25.1.2. Standard, Symmetric, and Asymmetric Vaults
The following vault types are based on the level of security and access control:
- Standard vault
- Vault owners and vault members can archive and retrieve the secrets without having to use a password or key.
- Symmetric vault
- Secrets in the vault are protected with a symmetric key. Vault members and vault owners can archive and retrieve the secrets, but they must provide the vault password.
- Asymmetric vault
- Secrets in the vault are protected with an asymmetric key. Users archive the secret using a public key and retrieve it using a private key. Vault members can only archive secrets, while vault owners can both archive and retrieve secrets.
25.1.3. User, Service, and Shared Vaults
The following vault types are based on ownership:
- User vault: a private vault for a user
- Owner: a single user.Any user can own one or more user vaults.
- Service vault: a private vault for a service
- Owner: a single service.Any service can own one or more service vaults.
- Shared vault
- Owner: the vault administrator who created the vault. Other vault administrators also have full access to the vault.Shared vaults can be used by multiple users or services.
25.1.4. The Different Types of Vault Containers
A vault container is a collection of vaults.
IdM provides the following default vault containers:
- User container: a private container for a user
- This container stores: user vaults for a particular user.
- Service container: a private container for a service
- This container stores: service vaults for a particular service.
- Shared container
- This container stores: vaults that can be shared by multiple users or services.
IdM creates user and service containers for each user or service automatically when the first private vault for the user or service is created. After the user or service is deleted, IdM removes the container and its contents.