fatima

Password and keys

Understand Vault password access, user-key access, and their different powers.

The Vault has two authentication modes: password and user key.

Password access

The password is the administrative credential. It unlocks the Vault for operations that change shared project state:

  • creating and editing project secrets;
  • creating, renaming, and deleting environments;
  • importing .env files;
  • generating user keys;
  • changing the password;
  • reading decrypted snapshots.

The password is also used to derive encryption material for the store. Changing the password re-encrypts the password-protected material.

User-key access

A user key is generated from password-authenticated access and scoped to selected environments. It can read secrets in those environments and write per-user secrets, but it cannot administer the Vault.

Use user keys for applications, CI jobs, and developers who only need selected environments.

Environment scoping

When a user key is created, Fatima wraps access for the selected environments only. If the key is scoped to development, it cannot read production.

Rotation

Rotate access by creating a new user key, distributing it through your normal secret channel, and removing use of the old key. Rotate the password when administrative access should change.