Reverse lookup for secrets

I’m posting this per the instructions here: “if you want to ensure that a pull request is likely to be merged, talk to us! You can find out our thoughts and ensure that your contribution won’t clash or be obviated by Vault’s normal direction. A great way to do this is via the Vault Discussion Forum.”

If we think we’ve found a secret that’s been leaked, but there’s no metadata associated with it, we have no way of knowing which Vault path the secret is kept in and which secret to revoke. Thus, we have need of a reverse lookup of secrets in Vault. How likely is it that Hashicorp would accept that feature as a contribution? I understand that it presents security concerns (e.g. it allows an adversary to confirm the existence of a secret), but this could be an admin-level endpoint with rate limiting.

Hey @cbartle ,

I think you might get more eyes on this, and discussion around this topic if you post as a feature request in the Vault GitHub repository.

This is also part of HCP Vault Radar, which is currently in a limited availability release.

Ah, I didn’t realize this was a feature of Vault Radar. I’ll post a question as an issue on GitHub. Thanks!

1 Like