Are secrets encrypted per identity as well

I can’t seem to find a straightforward answer even though the docs say the following:

Once unsealed [using master key], each security deposit boxes still requires the owner provide a key

What is the “owner’s key”?

I am trying to figure out whether all secrets stored by vault (in whatever backend) are readable by operator who is in possession of master key?

That is, can vault be used to store any personal secrets because they are somehow (if so, how?) encrypted using user’s/entity’s key (which might be generated during login on the client’s side), or, are all secrets encrypted only once using the same master key, that is, whoever has access to master key can decrypt the whole vault?


Post must be at least 20 characters

Hi @mike-code,

You don’t even need the master key to read any secret in Vault. A root token would suffice, or any sufficiently privileged token: Policies | Vault by HashiCorp

In the analogy you cite, the “owner’s key” refers to the fact that a user must authenticate (using whatever mechanisms the admin has allowed) and that the result of that is a token which is tied to whatever policies have been defined for that user+auth method. So authing==key, and the ACL policies ensure the key only works for the secrets the user should be able to access.