Difficulty: beginner
Estimated Time: 10 minutes

Vault logo

This scenario supplements the Versioned Key/Value Secrets Engine guide.

HashiCorp Vault's secrets engines are components responsible for managing secrets:

  • Secrets are pieces of sensitive information that can be used to access infrastructure, resources, data, etc.
  • Some secrets engines simply store and read data
    • Like encrypted Redis/Memcached
  • Some connect to other services and generate dynamic credentials on-demand
  • Others provide encryption as a service (EaaS), TOTP generation, certificates, etc.

This scenario demonstrates the key/value secrets engine v2.

Key/Value secrets engine is used to store arbitrary secrets:

  • Secrets are accessible via interactive or automated means
  • Enforced access control via policies
  • Fully audited access

The secrets are encrypted using 256-bits AES in GCM mode with a randomly generated nonce prior to writing them to its storage backend. Anything that leaves Vault is encrypted.

Vault Secrets Engine - Versioned Key/Value

Step 1 of 5

Secrets Engine List

Login with root token.

Click on the command () will automatically copy it into the terminal and execute it.

vault login root

First, check the current version of the key/value secrets engine that is ready to use. Run the following command:

vault secrets list -detailed

In the output, locate secret/ and check its version.

Path          Type         ...    Options           Description
----          ----         ...    -------           -----------
cubbyhole/    cubbyhole    ...    map[]             per-token private secret storage
identity/     identity     ...    map[]             identity store
secret/       kv           ...    map[version:2]    key/value secret storage
sys/          system       ...    map[]             system endpoints used for control, policy and debugging

Under Options, it should display that the kv version is 2.

When you run Vault in development mode, the key/value version 2 gets enabled by default.

Get Help

Run the following command to view the full list of optional parameters vault kv operation:

vault kv -h

To clear the screen: clear