Documentation > Professional+ > Secrets Engine
⭐ PRO+

Secrets Engine Module

Enterprise-grade secrets management with encryption, versioning, automated rotation, and secure deployment of SSH keys, certificates, and credentials across your infrastructure.

Overview

The Secrets Engine provides centralized, secure storage and management of sensitive data. Store SSH keys, TLS certificates, API credentials, and passwords with encryption at rest, comprehensive audit logging, and automated deployment to target hosts.

🔐
Store Secrets
Upload and encrypt sensitive data
🔧
Configure Access
Set rotation and audit policies
🚀
Deploy
Securely deploy to target hosts

Secret Types

The Secrets Engine supports multiple secret types for different use cases:

🔑

SSH Keys

Store and manage SSH key pairs including ed25519, RSA, and ECDSA keys with automated deployment to authorized_keys.

🔒

TLS Certificates

SSL/TLS certificate storage with private keys, certificate chains, and automated deployment with proper permissions.

🔓

API Credentials

Secure storage for API keys, tokens, and OAuth credentials with access logging and rotation capabilities.

🔔

Passwords

Encrypted password storage with versioning, allowing secure sharing and rotation of credentials.

🔕

Generic Secrets

Store any custom secret data as key-value pairs or structured content with full encryption.

Key Features

Secret Versioning

Track changes to secrets over time with complete version history. Rollback to previous versions when needed and maintain an audit trail of all modifications.

Automated Rotation

Configure automatic rotation schedules to ensure secrets are regularly updated. Supported intervals include daily, weekly, monthly, quarterly, and annually.

Access Logging

Comprehensive audit trail of all secret access, including who accessed what secrets, when, and from where. Essential for compliance and security monitoring.

Fingerprint Tracking

Cryptographic fingerprints for SSH keys and certificates ensure integrity and provide quick verification of deployed credentials.

Secret Deployment

Deploy secrets securely to target hosts with automated configuration:

SSH Key Deployment

Automatically deploy SSH public keys to authorized_keys files on target hosts. Specify users, permissions, and deployment options for each key.

# Example: Deploy SSH Key
{
  "secret_id": "ssh-key-123",
  "target_hosts": ["web-01", "web-02"],
  "user": "deploy",
  "permissions": "0600"
}

Certificate Deployment

Deploy TLS certificates with private keys to target hosts. Specify destination paths, file permissions, and optionally reload services after deployment.

# Example: Deploy TLS Certificate
{
  "secret_id": "tls-cert-456",
  "target_hosts": ["nginx-01", "nginx-02"],
  "cert_path": "/etc/ssl/certs/app.crt",
  "key_path": "/etc/ssl/private/app.key",
  "permissions": "0644",
  "key_permissions": "0600",
  "reload_service": "nginx"
}

API Access

The Secrets Engine is fully accessible via the REST API:

# Secret Management
GET    /api/secrets                    # List all secrets
POST   /api/secrets                    # Create a new secret
GET    /api/secrets/{id}               # Get secret metadata
GET    /api/secrets/{id}/content       # Get secret content
PUT    /api/secrets/{id}               # Update secret
DELETE /api/secrets/{id}               # Delete secret

# Secret Types
GET    /api/secrets/types              # Get available secret types

# Deployment
POST   /api/secrets/deploy-ssh-keys    # Deploy SSH keys
POST   /api/secrets/deploy-certificates # Deploy certificates

Rotation Schedules

Configure automated rotation schedules for your secrets:

Daily Rotate secrets every 24 hours - recommended for highly sensitive credentials
Weekly Rotate secrets every 7 days - balanced security and operational overhead
Monthly Rotate secrets every 30 days - suitable for most use cases
Quarterly Rotate secrets every 90 days - minimum recommended frequency
Annually Rotate secrets once per year - long-lived certificates and keys

Creating Secrets

To create a new secret:

  1. Navigate to Secrets in the main navigation
  2. Click "Create Secret" to open the secret editor
  3. Enter a descriptive name for the secret
  4. Select the secret type (SSH Key, TLS Certificate, Password, etc.)
  5. Upload or paste the secret content
  6. Configure rotation schedule (optional)
  7. Add tags and metadata for organization
  8. Save the secret - it will be encrypted and stored securely
# Example: SSH Key Secret
{
  "name": "Production Deploy Key",
  "secret_type": "ssh_key",
  "content": {
    "private_key": "-----BEGIN OPENSSH PRIVATE KEY-----...",
    "public_key": "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5...",
    "key_type": "ed25519"
  },
  "rotation_schedule": "quarterly",
  "tags": ["production", "deployment"]
}

OpenBAO Integration

The Secrets Engine integrates with OpenBAO vault for enterprise-grade secret storage:

  • Encryption at rest using OpenBAO's secure storage backend
  • Transit encryption for secrets in flight
  • Policy-based access control to secrets
  • Integration with OpenBAO's audit logging

Requirements

  • Professional or Enterprise license with secrets_engine module
  • OpenBAO vault installation and configuration
  • Network connectivity to license server for module validation