Platform On-PremControl accessSecretsHashiCorp Vault

Enable the kv-v2 secrets engine

Itential supports only kv-v2. kv-v1 is not supported.

You must enable and configure the Hashicorp Vault secrets engine before it can manage and share secrets securely.

About the kv-v2 secrets engine

Key-value version 2 (kv-v2) is a secrets engine that stores arbitrary secrets as key-value pairs with built-in versioning capabilities.

Why use kv-v2

Version control

  • Maintains complete history of secret changes
  • Allows you to retrieve or restore previous versions
  • Prevents accidental data loss from overwrites

Enhanced safety

  • Soft deletes allow secret recovery within a retention period
  • Check-and-Set operations prevent concurrent update conflicts
  • Configurable retention policies control how many versions to keep

Audit capabilities

  • Tracks creation time, modification time, and version numbers
  • Provides complete audit trail of secret changes
  • Enables compliance with security policies

Kv-v2 is HashiCorp’s recommended version for production use. It supersedes KV-V1, which lacks versioning and soft delete capabilities.

How versioning works

Each time you update a secret, kv-v2 creates a new version while preserving previous versions:

$# Create initial secret (version 1)
$vault kv put kv-v2/network/routers password=secret123
$
$# Update secret (version 2, version 1 still exists)
$vault kv put kv-v2/network/routers password=newSecret456
$
$# Retrieve latest version
$vault kv get kv-v2/network/routers
$
$# Retrieve specific version
$vault kv get -version=1 kv-v2/network/routers

API path structure

Kv-v2 uses a specific API path format that includes /data/:

http://localhost:8200/v1/kv-v2/data/<secret-path>

This /data/ segment distinguishes secret data from metadata and configuration endpoints. You’ll see this reflected in the Itential Platform configuration.

Enable kv-v2 secrets engine

1

Enable the engine

Run the following command to enable the KV secrets engine. Version 2 is recommended for Vault.

$vault secrets enable kv-v2
2

Update properties file

Navigate to /opt/pronghorn/current and edit the properties.json file with the location of the token.txt file. See Configure Vault properties for details.

Configure Vault properties

To use Vault, add a vaultProps section to your properties.json file.

Configuration parameters

PropertyRequiredDefaultDescription
urlYeshttp://localhost:8200The URL to connect to Vault, including hostname and port
tokenYes/file/path/token.txtFile path to a document containing the authentication token
endpointYessecret/dataThe endpoint for the secrets engine type
readOnlyYesfalseManages how secret data is written to Vault
authMethodNotokenAuthorization method: token or approle
role_idNo""Vault RoleId for AppRole authentication
secret_idNo""Vault SecretID for AppRole authentication

Token-based authentication

Example configuration for token-based authentication:

1"vaultProps": {
2  "url": "http://localhost:8200",
3  "authMethod": "token",
4  "token": "/opt/vault/token.txt",
5  "endpoint": "kv-v2/data",
6  "readOnly": false
7}

The endpoint value kv-v2/data includes the /data path segment required by kv-v2 to access secret data. This distinguishes it from metadata or configuration endpoints.

An unspecified authMethod defaults to token-based authentication, maintaining compatibility with previous Itential Platform configurations.

AppRole authentication

Example configuration for AppRole authentication:

1"vaultProps": {
2  "url": "http://localhost:8200",
3  "authMethod": "approle",
4  "role_id": "cfb83d9f-fd94-e046-71e2-dcd51147288d",
5  "secret_id": "68df6e13-02b2-b60d-a39f-f8b879277d48",
6  "endpoint": "kv-v2/data",
7  "readOnly": false
8}

Setup of AppRole authentication and generation of role_id and secret_id must be done separately, including setting valid policies and TTL/usage limits.

File path structure

The endpoint path can be customized. Here’s an example URL structure where v1 is a hard-coded file path in Itential Platform:

http://localhost:8200/v1/kv-v2/data

URL components:

  • http://localhost:8200 - Vault server address
  • /v1 - Vault API version
  • /kv-v2 - Secrets engine mount point
  • /data - kv-v2 data endpoint (required for accessing secret values)

Configure readOnly property

The readOnly property in vaultProps controls how secret data is written to Vault. This property defaults to false.

When set to true:

  • UI masking is disabled
  • Clear text is shown
  • Custom user decorations are ignored
  • Itential Platform will not write data to Vault

If you change readOnly from false to true after storing passwords in Vault, all passwords will be lost and must be set manually.

Verify configuration

After enabling kv-v2 and configuring Vault properties:

1

Restart Itential Platform

Restart Itential Platform to apply the configuration changes.

$sudo systemctl restart itential-platform
2

Check Platform logs

Review Platform logs to confirm successful Vault connection:

$sudo journalctl -u itential-platform -f

Look for messages indicating successful Vault authentication.

3

Test secret storage

Create a test secret in Vault and verify Platform can retrieve it. See Create secrets for details.

Additional resources

Next steps

Create secrets
Automatic encryption