Configuring vault usage

Cloud Pak for Data includes an internal vault. You can also connect to external vaults where you already store sensitive information as secrets.

Complete the following tasks to align the vault configuration with your security policies and practices:

Option Security considerations
Allow secret sharing

(Available by default)

This option simplifies the use of vaults. The owner of a secret can share the secret with other Cloud Pak for Data users and groups without the need to grant everyone direct access to the vault.

The users with whom the secret is shared can access only the secret that is shared. They do not have access to the vault or any other secrets in the vault. Additionally, the users cannot share the secret with other users.

Disable secret sharing This option requires that each user has their own vault credentials (keys, token).

This option is more secure. However, it requires additional work to manage user access to vaults and secrets.

Disable the internal vault
Best practice: If you plan to use vaults to store sensitive data, it is strongly recommended that you use an enterprise-grade vault rather than the internal vault.

This option ensures that only the selected, external enterprise-grade vault is used.

Require users to use secrets when creating connections This option ensures that users provide credentials using secrets rather than manually entering their credentials in the web client.

If you disable the internal vault, you must ensure that users have access to the appropriate secrets in an external vault.

After you configure vault usage, you can manage secrets and vaults.