Skip to main content

Secret configurations from files

Learn how to configure secrets for Piiano Vault securely by reading them from file


If you're using the hosted version of Vault, Piiano securely manages secrets for your instance.

In some deployments, there is a security requirement for secrets, such as the database password, to be read from files instead of environment variables. This is considered more secure because environment variables are usually more exposed.

Vault supports reading sensitive configurations from files at startup. The following configurations are supported:

SecretPathEnvironment variable
Database password/etc/pvault/secrets/db_password/contentPVAULT_DB_PASSWORD
Admin API key/etc/pvault/secrets/api_key/contentPVAULT_SERVICE_ADMIN_API_KEY
KMS seed/etc/pvault/secrets/kms_seed/contentPVAULT_KMS_SEED
KMS export seed/etc/pvault/secrets/kms_export_seed/contentPVAULT_KMS_EXPORT_SEED

Environment variables, if present, override the corresponding values in the default or custom system configuration file.

On this page