Best practices for logically separating secrets

494 views
Skip to first unread message

Scott Hall

unread,
Mar 4, 2016, 9:29:09 AM3/4/16
to Vault
We are evaluating vault as a tool to store our secret info.  I have gone through the intro and demo on the website but I am not seeing a suggested best practice as to how to best organize the data.

I have 3 'buckets' of secret data so to speak and do not want to save them all in secret/xxx.  I have not seen a way to create a new mount to store this data.

For example passwords, keys, tokens would be three data buckets.

I would like to store our secret into via vault write password/account xxx=xxx xxx=xxx etc.  How would i create 3 buckets using vault 0.5.1?

David Adams

unread,
Mar 4, 2016, 9:47:17 AM3/4/16
to vault...@googlegroups.com
Vault starts up by default with a secret-storage of type 'generic' mounted at secret/, but you can remove that path and mount additional 'generic' stores at any path you like:

$ vault mounts
Path        Type       Default TTL  Max TTL  Description
cubbyhole/  cubbyhole  n/a          n/a      per-token private secret storage
secret/     generic    system       system   generic secret storage
sys/        system     n/a          n/a      system endpoints used for control, policy and debugging

$ vault unmount secret
Successfully unmounted 'secret'!

$ vault mount -path passwords generic
Successfully mounted 'generic' at 'passwords'!

$ vault mount -path keys generic
Successfully mounted 'generic' at 'keys'!

$ vault mount -path tokens generic
Successfully mounted 'generic' at 'tokens'!

$ vault mounts
Path        Type       Default TTL  Max TTL  Description
cubbyhole/  cubbyhole  n/a          n/a      per-token private secret storage
keys/       generic    system       system  
passwords/  generic    system       system  
sys/        system     n/a          n/a      system endpoints used for control, policy and debugging
tokens/     generic    system       system  

-dave


--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/175fb1c7-73de-4f06-864f-9a6bf593494d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Scott Hall

unread,
Mar 4, 2016, 11:41:24 AM3/4/16
to Vault
Exactly what i was looking for thank you.
Reply all
Reply to author
Forward
0 new messages