Credential Vault Security Overview
user‑id → { encrypted_data_key, ciphertext, metadata }
.The vault rejects any credential that is not already encrypted with the correct data key for that user.
tag
) without requiring a separate MAC.
Threat | Mitigation |
---|---|
Database breach | Secrets remain encrypted with per‑user keys; attacker lacks the data keys. |
Compromise of a single data key | Blast radius limited to that user only. |
Master key exposure | Master key stored in KMS with hardware isolation & strict IAM; usage logged and alerted. |
Replay/tampering | AES‑GCM tag validation prevents bit‑flips or stale ciphertext from being accepted. |