Storing app user secret in vault

Hello
I am a vault beginner :sweat_smile:
Is it possible to store my app user secret in vault as kv ? Each time a user creates an account, a secret is generated and send to Vault. Do i have to use a path for each user ? like secret/user_id/ and store the key ? Or i have to use one path for all user secret ? In this case, are there an API to retrieve the a user secret giving for exemple the user id ??
Thank in advande :+1:

There is no mechanism that’ll do that but you can obviously do that with API on some external trigger.

Yes, when is a user create an account, the apps will use an API to add that secret to Vault. I want to know what is the best way to store secrets ?

  1. create a path for each user and store the secret
    ex: secrets/user1 for user 1, secrets/user2 for user 2 …
  2. Create one path for all the user. Personally i prefer this method but a don’t find an API to retrieve directly the value for a field. With vault cli i can use a command like vault kv get -field=password secrets/credentials, but i don’t find a way to do that with API

There is no way. The fields are really just a way of presenting what is actually a single JSON scring stored in each path.

If the secrets should be handled together (e.g. a username & password for a single user or similar) then it is a good idea to store them in a single path, but if they are separate they should be at different paths. You also then get the ability to set different access control permissions for each path, as well as separate version history (if using kv2).

@stuart-c is right, there is no way of retrieving a single value from API, it’ll return a json that you have to parse. But then if you’re doing API doesn’t that mean you can code around it?

vault kv get -output-curl-string secrets/user1

Hello, excuse me for the late. Thank you for your response
I think it will be good for me to create a new vault path whenever a user account is created in my app. If i store them together with more than 2millions fields in single path it will be tough for the app to fetch a user secret when needed because it have to fetch all fields before to filter for this user. One request in my app may require others user secrets.

Is vault manage very well millions of paths ???

Hello, excuse me for my late reply
Yes I can parse the json and retrieve the secret but I have to store millions of secrets for my app users and the idea of retrieving and parsing all secrets just to retrieve a secret from a user seems wrong.
Pls try to explain me the way you have to choose i want to do a stuff like this.
Thank you

It sounds like the entries are totally separate from each other, so should be different paths.

However if you are trying to use Vault for user management note that it probably isn’t the best solution. A dedicated user management system (such as LDAP, AD, etc.) are probably a lot better options.

There are a lot of various limits on engine mounts and metadata size, etc… but AFAIK there is no secret limit, see Limits and Maximums | Vault by HashiCorp

I would NOT store a million k/v pairs in one secret. Mu suggestion would be to store them in their own secret or possibly use the first two or three letters of the name as the secret and the k/v can contain the rest. I don’t think the issue will be “getting” the secret, but in updating it if it’s a very large secrets, specially in KVv2 which will save the last n (10 by default) versions of that secret.

example:

secret/users/van
[ { “username”: “vandeabdou”, “password”: “ksdfrjlkadjflks” },
{ “username”: “vande2”, “password”: “95nflksdjflkjl” }]

I would caution against storing lots of unrelated things in one secret. A bug in one of your applications that manages the secret could easily cause data loss (e.g. you want to update the “vande2” entry but a bug also changes/deletes the “vandeabdou” entry).

Also going back to security principles reading lots of unrelated secrets every time you are doing a query or making a changes isn’t great (you’ve just massively increased the impact of any data disclosure vulnerabilities).

@stuart-c @aram this is what my app works

In my database, each user data is encrypted with a secret linked to each user. So each user has a key stored that is unique to him. These encryption keys are stored in a database in encrypted form by the app. In my research, I saw that Vault not only encrypts well but also acts as a storage engine. I would like to replace my secrets database with Vault.
When a user logs in to the app with his credentials, the app should retrieve the secret from vault to decrypt/encrypt his data in the app. When a user create an account in the app, a secret will be generate to encrypt/decrypt his data, and store in Vault.

Is Vault designed for this stuff ?

Thank you so much

So each record is encrypted with a different key, which is also stored in the database?

Is there a reason why each user has a different key?

If I were doing something like I think you are describing I’d store all the data in a standard database (as you get all the advantages from such systems, including complex queries, indexing, multi read replica clusters, etc.) and then use the encryption as a service feature from Vault to encrypt/decrypt that data as needed. However I wouldn’t have a different key per user. Instead everything is encrypted with the same key which is periodically rotated (different versions of the keys retained to allow older data still to be decrypted, with a process to re-encrypt data to allow old keys to be removed over time).

Thank you so much. I will to re-implement something like this