Need some help understanding a few concepts

Hi everyone,

I’m a software developer doing some research in the cryptography right now. I got to understand basics and I moved on to encryption key storage and management. I stumbled upon Vault and I want to use it as EaaS for now. But there are a few concepts I have trouble understanding and integrating in my app.

  1. I want to encrypt some data and I just create a new named key, send data to Vault and get encrypted data. Neat! But how does this work with multiple users? Should I generate a named key per user? Or maybe use one master named key with derivation and derive key per data encryption?

  2. If key derivation is active, is it safe to store context with data or should it be somehow encrypted, with a different named key?

  3. If I understand correctly, I could use ACL templating to restrict access to keys only to user to whom said key is assigned. But to do that, when a user registers in my app I should also create an entity and alias for that user?

I suppose I have many more questions since the amount of information I learned recently is huge, but gotta start somewhere :wink:

Vault supports policies, so you can give each policy access to only certain data. Then you can assign users to those polices. I am using ldap, and have the ldap groups map to policies and it is easy to manage.