Using Hashicorp Vault for Encryption Secret Management


The information in this document is provided on an as-is basis. You use it at your own risk. We accept no responsibility for errors or omissions, nor do we have any obligation to provide support for implementing or maintaining the configuration described here. Furthermore, we do not warrant that the design presented here is appropriate for your requirements.

SME designs, implements and supports File Fabric Vault solutions for customers on a paid professional services basis. For more information please contact


The Enterprise File Fabric can use one of two methods to store the secret used for at-rest Encryption of files.

  1. File Fabric Maintained Secrets in the Metadata Database
  2. Externally maintained Secrets in Hashicorp Vault

This guide steps you through the configuration of Hashicorp Vault and the Enterprise File Fabric for the second option.

Installation of Vault is out of scope of this document and can be viewed here: Hashicorp Vault - Install

Hashicorp Vault Configuration

Once the vault has been installed, you will need to complete the deployment and create the secrets engine for the SME storage.

Deploying the Vault

Following the instructions here: Hashicorp Vault - Deploy

Initialize your vault

vault operator init
Unseal Key 1: ....
Unseal Key 2: ....
Unseal Key 3: ....
Unseal Key 4: ....
Unseal Key 5: ....

Initial Root Token: s.....

Vault initialized with 5 key shares and a key threshold of 3. Please securely
distribute the key shares printed above. When the Vault is re-sealed,
restarted, or stopped, you must supply at least 3 of these keys to unseal it
before it can start servicing requests.

Vault does not store the generated master key. Without at least 3 key to
reconstruct the master key, Vault will remain permanently sealed!

It is possible to generate new unseal keys, provided you have a quorum of
existing unseal keys shares. See "vault operator rekey" for more information.

Unseal Vault

Using the Unseal keys generated above:

 vault operator unseal

This command will need to be run multiple times before the vault is unsealed, depending on your vault configuration this may be 3 or more unseal keys.

When unsealed you will see

vault status
Key                    Value
---                    -----
Seal Type              shamir
Initialized            true
Sealed                 false 

Create Secrets KeyValue Store

vault secrets enable -path=secret/ kv

File Fabric Setup

Enable Key Management System

Logged in as the Org. Admin, go to: Organization > Policies > Key Management Systems

Select “Vault” from Encryption Key Management System.

You will enter the Vault URL and the Root Token, and click Test Settings.

If this comes back with an error, check to ensure the URL and Token are correct, and that the File Fabric can connect to Vault successfully.

When the test is successful, click “Set Key Management System”.

Enable Folder Level Encryption

Organization > Policies > Encryption

Define a secure passphrase and enter that in “Encryption phrase to encrypt Team files:”.

This passphrase will be saved in the external vault that you just setup and configured.

From there you can adjust the settings for which folders are encrypted and click “Update Policies”