Background:
I used TDE to encrypt the MSSQL database; once TDE is enabled, I export the certificate into.pvk format with password protection and store it on a file server with restricted permissions.
Requirement.
I need to secure the certificate (with .pvk format) to Hashicorp Vault to make sure that no-one can access (or steal it) and decrypte the database
Do the Hashicorp Vault capabilities match my requirements?
In this situation, it’s unimportant that the secret you want to store is a certificate - it’s just opaque data as far as Vault is concerned. Vault can store arbitrary user data in JSON format in its KV secrets engine - KV - Secrets Engines | Vault | HashiCorp Developer
So, It’s mean I can store everything in KV secret engines?
Is it correct?
Mostly… it can store anything that is a valid JSON object meaning you can’t store raw binary data unless you apply your own encoding, e.g. base64, first, to make it fit within the restrictions placed on a JSON string.
Total size stored in any one KV entry is limited as well - the exact limit depends on the choice of storage backend used for Vault as a whole, and various internal overheads, but I estimate that more that 500 kiB would be cause for concern. This shouldn’t be an issue for certificates, which tend to be much smaller than this.