Hi @dcgsteve, welcome to the community. I’d recommend checking out the security model in our docs for some detailed discussion on this topic.
I think what you’re getting at is closely related to “secure introduction”, and the level of protection you require will depend on your threat model. Vault has a fairly wide selection of auth methods, and some of them allow single-use secrets such as AppRole, and Vault Enterprise has support for MFA, but in general I think physical access to the client is quite a difficult scenario to defend against because auth methods rely on possessing some initial secret material that they can exchange with Vault to prove their identity. If an attacker has that same secret material, then they can spoof the real client.
Finally, it’s worth mentioning an incomplete set of defence in depth layers you may also want to consider:
- Restrictive ACL policies to limit blast radius of breaches
- Dynamic secrets where possible to limit duration of breaches
- Audit logging to enable alerting and retrospective action