25.6. Storing a Common Secret for Multiple Users

download PDF
This section shows how an administrator can create a shared vault and allow other users to access the secret in the vault. The administrator archives a common password into the vault, and the other users are able to retrieve the password on any machine in the domain.
This section includes these procedures:
In the procedures:
  • shared_vault is the vault used to store the common password
  • admin is the administrator who creates the shared vault
  • the vault type is standard, so that accessing the archived password does not require the user to provide a vault password
  • secret.txt is the file containing the common secret
  • user1 and user2 are the users allowed to access the vault

25.6.1. Creating the Shared Vault with the Common Secret

Create a shared vault and use it to store the common secret. Add the users who will be accessing the secret as vault members. The vault type is standard, which ensures any user accessing the secret will not be required to authenticate.
  1. Log in as the administrator:
    $ kinit admin
  2. Create the shared vault:
    $ ipa vault-add shared_vault --shared --type standard
    Added vault "shared_vault"
      Vault name: shared_vault
      Type: standard
      Owner users: admin
      Shared vault: True
  3. Archive the secret into the vault. Add the --shared option to specify that the vault is in the shared container:
    $ ipa vault-archive shared_vault --shared --in secret.txt
    Archived data into vault "shared_vault"
    One vault can only store one secret.
  4. Add user1 and user2 as vault members:
    ipa vault-add-member shared_vault --shared --users={user1,user2}
    Vault name: shared_vault
    Type: standard
    Owner users: admin
    Shared vault: True
    Member users: user1, user2
    Number of members added 2

25.6.2. Retrieving a Secret from a Shared Vault as a Member User

Log in as a member user of the vault, and export the file with the secret from the vault.
  1. Log in as the user1 member user:
    $ kinit user1
  2. Retrieve the secret from the shared vault:
    $ ipa vault-retrieve shared_vault --shared --out secret_exported.txt
    Retrieved data from vault "shared_vault"
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.