Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

25.4. Storing a User's Personal Secret

This section shows how a user can create one or more private vaults to securely store personal secrets. The user then retrieves the secrets when required, on any machine in the domain. For example, the user can archive a personal certificate in a vault, thus storing the certificate securely in a centralized location.
This section includes these procedures:
In the procedures:
  • user is the user who wants to create the vault
  • my_vault is the vault used to store the user's certificate
  • the vault type is standard, so that accessing the archived certificate does not require the user to provide a vault password
  • secret.txt is the file containing the certificate that the user wants to store in the vault
  • secret_exported.txt is the file to which the user exports the archived certificate

25.4.1. Archiving a User's Personal Secret

Create a private user vault and store your certificate in it. The vault type is standard, which ensures you will not be required to authenticate when accessing the certificate.
  1. Log in as user:
    $ kinit user
  2. Use the ipa vault-add command to create a standard vault:
    $ ipa vault-add my_vault --type standard
    ----------------------
    Added vault "my_vault"
    ----------------------
      Vault name: my_vault
      Type: standard
      Owner users: user
      Vault user: user
    Important
    Make sure the first user vault for a user is created by the same user. For example, if another user, such as admin, creates the first user vault for user1, the owner of the user's vault container will also be admin, and user1 will be unable to access the user vault or create new user vaults. See also Section B.5.1, “Users Cannot Access Their Vault Due To Insufficient 'add' Privilege”.
  3. Use the ipa vault-archive --in command to archive the secret.txt file into the vault:
    $ ipa vault-archive my_vault --in secret.txt
    -----------------------------------
    Archived data into vault "my_vault"
    -----------------------------------
    Note
    One vault can only store one secret.

25.4.2. Retrieving a User's Personal Secret

Export the certificate from your private standard vault.
  1. Log in as user:
    $ kinit user
  2. Use the ipa vault-retrieve --out command to retrieve the contents of the vault and save them into the secret_exported.txt file.
    $ ipa vault-retrieve my_vault --out secret_exported.txt
    --------------------------------------
    Retrieved data from vault "my_vault"
    --------------------------------------