Show Table of Contents
25.4. Storing a User's Personal Secret
This section shows how a user can create one or more private vaults to securely store personal secrets. The user then retrieves the secrets when required, on any machine in the domain. For example, the user can archive a personal certificate in a vault, thus storing the certificate securely in a centralized location.
This section includes these procedures:
In the procedures:
useris the user who wants to create the vaultmy_vaultis the vault used to store the user's certificate- the vault type is
standard, so that accessing the archived certificate does not require the user to provide a vault password secret.txtis the file containing the certificate that the user wants to store in the vaultsecret_exported.txtis the file to which the user exports the archived certificate
25.4.1. Archiving a User's Personal Secret
Create a private user vault and store your certificate in it. The vault type is standard, which ensures you will not be required to authenticate when accessing the certificate.
- Log in as
user:$ kinit user
- Use the
ipa vault-addcommand to create a standard vault:$ ipa vault-add my_vault --type standard ---------------------- Added vault "my_vault" ---------------------- Vault name: my_vault Type: standard Owner users: user Vault user: user
Important
Make sure the first user vault for a user is created by the same user. For example, if another user, such asadmin, creates the first user vault foruser1, the owner of the user's vault container will also beadmin, anduser1will be unable to access the user vault or create new user vaults. See also Section B.5.1, “Users Cannot Access Their Vault Due To Insufficient 'add' Privilege”. - Use the
ipa vault-archive --incommand to archive thesecret.txtfile into the vault:$ ipa vault-archive my_vault --in secret.txt ----------------------------------- Archived data into vault "my_vault" -----------------------------------
Note
One vault can only store one secret.
25.4.2. Retrieving a User's Personal Secret
Export the certificate from your private standard vault.
- Log in as
user:$ kinit user
- Use the
ipa vault-retrieve --outcommand to retrieve the contents of the vault and save them into thesecret_exported.txtfile.$ ipa vault-retrieve my_vault --out secret_exported.txt -------------------------------------- Retrieved data from vault "my_vault" --------------------------------------
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.