One of the issues when using personal secrets in vault is the admin/root user being able to access everything in vault, thus making usage of personal secret less secure.
In order to protect the personal secret from root/admin access we can however keep secret in an encrypted way, using private key, gpg, or just a password. Below is an example how to protect the secret with a password.
vault kv put secret/a1db8b2b-760a-a3b5-b1c6-96c10d71aec1/encrypted-secret value=$(echo "my_holy_secret" | openssl enc -aes-256-cbc -a) enter aes-256-cbc encryption password: Verifying - enter aes-256-cbc encryption password: ========================== Secret Path ========================== secret/data/a1db8b2b-760a-a3b5-b1c6-96c10d71aec1/encrypted-secret ======= Metadata ======= Key Value --- ----- created_time 2022-12-10T10:24:11.117701Z custom_metadata <nil> deletion_time n/a destroyed false version 2
As you can see, we 1st create the secret and write to vault an encrypted version in base64.
When we trying to read it all we see is a base64 encoded text U2FsdGVkX18DnEb10AfrCvTsrWa4spwbMKbE7pz/+hQ= which decrypted looks even more gibberish.
➜ ~ vault kv get -field=value secret/a1db8b2b-760a-a3b5-b1c6-96c10d71aec1/encrypted-secret U2FsdGVkX18DnEb10AfrCvTsrWa4spwbMKbE7pz/+hQ= ➜ ~ vault kv get -field=value secret/81688c9b-937f-8638-099b-6613cd835a07/encrypted-secret | base64 -D Salted__�F��� ��f��������%
➜ ~ vault kv get -field=value secret/a1db8b2b-760a-a3b5-b1c6-96c10d71aec1/encrypted-secret | xargs | openssl enc -aes-256-cbc -a -d enter aes-256-cbc decryption password: my_holy_secret
Only the person having the secret used to encrypt it can read and decode it back to the original secret.