HashiConf The full conference agenda's now LIVE. Buy your pass and plan your schedule. Register
Well-Architected Framework
Well-Architected Framework Home

Store static secrets

A static secret is any secret, such as a password or API key, that you create and maintain over a long period of time. The secret value remains the same until you change or rotate it. It is important to secure static secrets, just as you would any other form of sensitive data. Secrets are often classified as restricted because unauthorized access to these secrets can cause severe damage to the organization.

Why should you store static secrets?

While you often classify secrets as restricted, you still need to use these secrets to access systems or configure applications to access other services using the secret. Because both individual users and applications require access to these secrets, securely storing them with proper authentication and authorization is critical to your organization's security posture and reputation.

HashiCorp Vault's key/value (KV) secrets engine allows you to store any type of arbitrary secret such as usernames, passwords, API keys, and even static TLS certificates that are not able to be automatically provisioned by base64 encoding the certificate.

You can protect and manage access to the secrets stored in Vault's KV secrets engine using Vault's robust access control policy framework, and incorporate advanced Sentinel policies to ensure only authorized individuals or applications access the secrets they are entitled to.

Vault is available as a self-hosted application, or you can get started with Vault quickly using the HashiCorp Cloud Platform. Sentinel integrates with both self-hosted Vault or HCP Vault Dedicated.

Store static secrets with Vault

Before you deploy Vault, take time to plan a KV storage architecture to ensure teams and applications (clients) have access based on your organization's security requirements. You can store all secrets in a single instance of the KV secrets engine, or enable multiple KV secrets at unique paths.

Once you have solidified your plan for the KV secrets engine, enable the secrets engine using your Vault administrator's preferred tools. Vault supports a command line interface (CLI), application programming interface (API), web based user interface (UI), HashiCorp Terraform, and many other configuration management tools such as Ansible.

Once you have enabled the KV secrets engine, and assigned an appropriately scoped policy to a client, any authenticated client assigned the policy can interact with the secret based on the policy. You can learn how to enable the KV secrets engine, write a policy, and assign it to a client using the UI, CLI, API, and Terraform in the Vault get started series of tutorials.

HashiCorp resources:

External resources:

Next steps

In this section of how to Secure secrets, you learned about how to store static secrets in your organization. Storing static secrets is part of the Secure systems pillar.

Edit this page on GitHub