Secret configurations from files
Learn how to configure secrets for Piiano Vault securely by reading them from file
note
If you're using the hosted version of Vault, Piiano securely manages secrets for your instance.
In some deployments, there is a security requirement for secrets, such as the database password, to be read from files instead of environment variables. This is considered more secure because environment variables are usually more exposed.
Vault supports reading sensitive configurations from files at startup. The following configurations are supported:
| Secret | Path | Environment variable |
|---|---|---|
| Database password | /etc/pvault/secrets/db_password/content | PVAULT_DB_PASSWORD |
| Admin API key | /etc/pvault/secrets/api_key/content | PVAULT_SERVICE_ADMIN_API_KEY |
| License | /etc/pvault/secrets/license/content | PVAULT_SERVICE_LICENSE |
| KMS seed | /etc/pvault/secrets/kms_seed/content | PVAULT_KMS_SEED |
| KMS export seed | /etc/pvault/secrets/kms_export_seed/content | PVAULT_KMS_EXPORT_SEED |
| IAM secrets | /etc/pvault/secrets/secrets_iam_<name>/content | PVAULT_SECRETS_IAM_<name> |
note
Environment variables, if present, override the corresponding values in the default or custom system configuration file.