Create and store secrets in HCP Vault Dedicated

5min
|
HCP
Vault

One of the core features of Vault is the ability to read and write arbitrary secrets securely. Vault encrypts secrets when written to the backend storage. Therefore, the backend storage mechanism never sees the unencrypted value and doesn't have the means necessary to decrypt it without Vault.

HashiCups wants to store application secrets such as API keys, passwords, and certificates in HCP Vault Dedicated. In this tutorial, Oliver from HashiCups learns how to create and store secrets using the Key/Value (K/V) secrets engine in HCP Vault Dedicated.

Prerequisites

Completed the Create a Vault Cluster on HashiCorp Cloud Platform (HCP) tutorial.
Completed the Access your HCP Vault Dedicated cluster tutorial.

Key/Value secrets engine

The Key/Value v2 secrets engine is a generic key-value store used to store arbitrary secrets within the configured physical storage for Vault.

The Key/Value secrets engine has version 1 and 2. The difference is that v2 provides versioning of secrets, while v1 does not.

Use the vault kv <subcommand> [options] [args] command to interact with the K/V secrets engine.

Available subcommands:

Subcommand	kv v1	kv v2	Description
delete	x	x	Delete versions of secrets stored in K/V
destroy		x	Permanently remove one or more versions of secrets
enable-versioning		x	Turns on versioning for an existing K/V v1 store
get	x	x	Retrieve data
list	x	x	List data or secrets
metadata		x	Interact with Vault's Key-Value storage
patch		x	Update secrets without overwriting existing secrets
put	x	x	Sets or updates secrets (this replaces existing secrets)
rollback		x	Rolls back to a previous version of secrets
undelete		x	Restore the deleted version of secrets

Enable secrets engine

(Persona: operations)

Before teams at HashiCups can write secrets to HCP Vault, Oliver must enable the key/value v2 secrets engine. You enable a secrets engine in a specific namespace. The secrets you create in the admin namespace are not accessible from other namespaces by default.

In the Vault UI, set the current namespace to admin/.
Select Secrets engines.
Click Enable new engine.
Select KV from the list, and then click Next.
Enter secret in the Path field.
Click Enable Engine to complete.

If you did not set the VAULT_ADDR, VAULT_NAMESPACE, and VAULT_TOKEN environment variables, refer to the steps in the Create a Vault Cluster on HCP tutorial.

Verify that the VAULT_NAMESPACE environment variable is set to admin.
```
$ echo $VAULT_NAMESPACE
admin
```
If not, be sure to set it before you continue.
```
$ export VAULT_NAMESPACE=admin
```

Enable the key/value v2 secrets engine (kv-v2) at secret/.

$ vault secrets enable -path=secret kv-v2
Success! Enabled the kv-v2 secrets engine at: secret/

Each API request requires the token and Vault address. If you did not set the VAULT_ADDR and VAULT_TOKEN environment variables, refer to the steps in the Create a Vault Cluster on HCP tutorial.

Enable KV v2 at secret/.

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
    --header "X-Vault-Namespace: admin" \
    --request POST \
    --data '{ "type": "kv-v2" }' \
    $VAULT_ADDR/v1/sys/mounts/secret

NOTE: Instead of passing the target namespace using the X-Vault-Namespace header, you can specify the namespace in the API endpoint, /admin/sys/mounts/secret. In that case, the cURL command becomes:

$ curl --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{ "type": "kv-v2" }' \
    $VAULT_ADDR/v1/admin/sys/mounts/secret

You can choose whichever method you prefer.

Knowledge checks

A quiz to test your knowledge.

What is the default namespace used when you first access your HCP Vault Dedicated cluster?
🔘 root/
🔘 system/
🔘 admin/
🔘 default/
❌ root/
❌ system/
✅ admin/
❌ default/
What is the difference between Key/Value v1 and Key/Value v2 secrets engines in Vault?
🔘 KV v2 provides versioning of secrets, while KV v1 does not.
🔘 KV v1 supports higher throughput than KV v2.
🔘 KV v2 encrypts secrets while KV v1 stores them in plain text.
🔘 KV v1 allows secret destruction, while KV v2 does not.
✅ KV v2 provides versioning of secrets, while KV v1 does not.
❌ KV v1 supports higher throughput than KV v2.
❌ KV v2 encrypts secrets while KV v1 stores them in plain text.
❌ KV v1 allows secret destruction, while KV v2 does not.
What command would you use in the Vault CLI to store a secret with key db-password and value s3cr3t! at the path secret/database?
vault kv put secret/database db-password="s3cr3t!"

Summary

In this tutorial Oliver enabled one of Vault's secrets engines, giving you an introduction to the key/value v2 secrets engine. After Oliver enables the secrets engine, Danielle from the development team creates and stores secrets in HCP Vault. To learn more about the K/V secrets engine, follow the Versioned Key/Value Secrets Engine tutorial.

Next steps

Oliver enabled the key/value v2 secrets engine and Danielle created and stored secrets in HCP Vault. To fully take advantage of HCP Vault, following security best practices, Oliver needs to learn how to author policies to manage access to Vault resources.

Enable multi-tenancy

Manage access to secrets