Chapter 4. Managing IdM service secrets: storing and retrieving secrets

This section shows how an administrator can use the ansible-freeipa vault module to securely store a service secret in a centralized location. The vault used in the example is asymmetric, which means that to use it, the administrator needs to perform the following steps:

  1. Generate a private key using, for example, the openssl utility.
  2. Generate a public key based on the private key.

The service secret is encrypted with the public key when an administrator archives it into the vault. Afterwards, a service instance hosted on a specific machine in the domain retrieves the secret using the private key. Only the service and the administrator are allowed to access the secret.

If the secret is compromised, the administrator can replace it in the service vault and then redistribute it to those individual service instances that have not been compromised.


This section includes these procedure

Terminology used

In the procedures:

  • admin is the administrator who manages the service password.
  • private-key-to-an-externally-signed-certificate.pem is the file containing the service secret, in this case a private key to an externally signed certificate. Do not confuse this private key with the private key used to retrieve the secret from the vault.
  • secret_vault is the vault created for the service.
  • HTTP/ is the service whose secret is being archived.
  • service-public.pem is the service public key used to encrypt the password stored in password_vault.
  • service-private.pem is the service private key used to decrypt the password stored in secret_vault.

4.1. Storing an IdM service secret in an asymmetric vault

Follow this procedure to create an asymmetric vault and use it to archive a service secret.


  • You know the IdM administrator password.


  1. Log in as the administrator:

    $ kinit admin
  2. Obtain the public key of the service instance. For example, using the openssl utility:

    1. Generate the service-private.pem private key.

      $ openssl genrsa -out service-private.pem 2048
      Generating RSA private key, 2048 bit long modulus
      e is 65537 (0x10001)
    2. Generate the service-public.pem public key based on the private key.

      $ openssl rsa -in service-private.pem -out service-public.pem -pubout
      writing RSA key
  3. Create an asymmetric vault as the service instance vault, and provide the public key:

    $ ipa vault-add secret_vault --service HTTP/ --type asymmetric --public-key-file service-public.pem
    Added vault "secret_vault"
    Vault name: secret_vault
    Type: asymmetric
    Public key: LS0tLS1C...S0tLS0tCg==
    Owner users: admin
    Vault service: HTTP/

    The password archived into the vault will be protected with the key.

  4. Archive the service secret into the service vault:

    $ ipa vault-archive secret_vault --service HTTP/ --in private-key-to-an-externally-signed-certificate.pem
    Archived data into vault "secret_vault"

    This encrypts the secret with the service instance public key.

Repeat these steps for every service instance that requires the secret. Create a new asymmetric vault for each service instance.

4.2. Retrieving a service secret for an IdM service instance

Follow this procedure to use a service instance to retrieve the service vault secret using a locally-stored service private key.



  1. Log in as the administrator:

    $ kinit admin
  2. Obtain a Kerberos ticket for the service:

    # kinit HTTP/ -k -t /etc/httpd/conf/ipa.keytab
  3. Retrieve the service vault password:

    $ ipa vault-retrieve secret_vault --service HTTP/ --private-key-file service-private.pem --out secret.txt
    Retrieved data from vault "secret_vault"

4.3. Changing an IdM service vault secret when compromised

Follow this procedure to isolate a compromised service instance by changing the service vault secret.


  • You know the IdM administrator password.
  • You have created an asymmetric vault to store the service secret.
  • You have generated the new secret and have access to it, for example in the new-private-key-to-an-externally-signed-certificate.pem file.


  1. Archive the new secret into the service instance vault:

    $ ipa vault-archive secret_vault --service HTTP/ --in new-private-key-to-an-externally-signed-certificate.pem
    Archived data into vault "secret_vault"

    This overwrites the current secret stored in the vault.

  2. Retrieve the new secret on non-compromised service instances only. For details, see Retrieving a service secret for an IdM service instance.

4.4. Additional resources