The Key/Value Secrets Engine is an integral part of almost every Vault implementation. It forms the foundation for securely storing static secrets and is used far more frequently in practice than many dynamic engines.
Following the theoretical introduction in part 2a, this article turns to the practical work with the KV Engine. We demonstrate how to write, read, update and delete secrets, and provide a practical analysis of the differences between KV Version 1 and Version 2. The focus is on production-relevant commands, realistic pitfalls and concrete recommendations for day-to-day operations, which is why I present this knowledge as a mixture of tutorial and cheat sheet.
Read more: HashiCorp Vault Deep Dive – Part 2b: Practical Work with the Key/Value Secrets Engine
Despite careful blast radius minimisation, segmented states and lifecycle guardrails, it can happen sooner or later: a terraform apply accidentally deletes production resources, or a terraform destroy affects more than intended.
What to do once the damage is already done?
In the previous article of this series, I explained how to minimise the blast radius. In this follow-up, I will show proven techniques for restoring damaged Terraform states and limiting the impact after an incident.
Read more: Terraform @Scale - Part 3b: Blast Radius Recovery Strategies
After having gained a solid overview of the entire ecosystem of secrets engines in the first part, we now delve into the daily life of every Vault cluster. The Key / Value (KV) Secrets Engine is the workhorse for all scenarios where secrets need to be securely stored, versioned, and later retrieved in a targeted way.
Read more: HashiCorp Vault Deep Dive - Part 2a: Activating the Key/Value Secrets Engine
🔥 A single terraform destroy - and suddenly, 15 customer systems go offline 🔥
The "Friday afternoon destroyer" has struck again.
In this two-part article, we examine one of the most significant structural infrastructure problems, as well as one of the most underestimated risks of Infrastructure-as-Code, from a management perspective. We help companies systematically minimize blast radius risks.
Because the best explosion is the one that never happens.
Read more: Terraform @ Scale - Part 3a: Blast-Radius Management
Secrets Engines are the core of Vault – they enable us to think of security not just as a matter of storage, but as a process. Whether it's a database password, SSH access, or JWT signature, everything can be managed dynamically, securely, and traceably – if the right engines are known and used correctly. The key lies less in diversity and more in understanding and design. Anyone who wants to use Vault productively cannot avoid a deep understanding of the Secrets Engines.
This article offers a well-founded overview of the function, use cases, and lifecycle of Secrets Engines – from generic engines like KV, Transit, or PKI to specialized modules for Cloud and database platforms.
Read more: HashiCorp Vault Deep Dive - Part 1: Fundamentals of Secret Engines
