Vault Secret Engine vs Storage backend

Hello all, I am new in vault and I am exploring it because I want to configure it on my company on local private network , for now I configure a consul server and use it in vault configuration as storage backend . but wanted to ask you few question :

1- What is the difference between storage backend and secret engine?
2- Do I need to enable consul secret engine to write the secrets or shall I enable key/value secret engine and it will store it in consul ?

Thank you all .

Storage backend is how the data from all of vault is stored. Think of it as the filesystem where your secrets are being written to/read from.

Secret Engine, is the “engine” that is doing the storage, different engines take different inputs and produce different outputs depending on what you’re trying to secure. The basic one is a KV secret engine, where you can store key/value pairs and read them back out. The more complex example would be you can store database authentication which enables you to create short lived temporary database users with specific access requirements.

1 Like

so I have consul as my storage backend and kv engine for example to write and read my secrete to consul ? did I get it right?

Just put consul out of your head. It’s just where the data resides, include of a Consul data node. There is no way to translate Vault data to Consul data, as the data is not available in Consul UI or cli.

so where the vault data available ? is it not in the consul cluster ?

The data after Vault startup and unsealing (or autounseal) becomes available to be used. Nowhere else.