-
Notifications
You must be signed in to change notification settings - Fork 0
Home
Maks Zaikin edited this page Jun 25, 2026
·
5 revisions
title: "VaultFlower — Documentation Home" category: "navigation" version: "1.0" last_updated: "2024-01-15" standards: [] related_pages: ["AI-Guide", "Architecture-Overview", "Security-Principles"] ai_summary: "Entry point for VaultFlower documentation. Contains full navigation map and quick links to all sections."
Enterprise Privileged Password Vault — Open-source PAM solution for managing local administrator accounts on isolated, offline, and non-domain assets in IT and ICS/OT environments.
If you are an AI assistant helping a developer work with VaultFlower, start here:
- Read AI-Guide — how to navigate this documentation efficiently
- Read Architecture-Overview — understand the full system
- Read Security-Principles — non-negotiable constraints
- Read the specific section relevant to your task
Every page in this Wiki contains machine-readable metadata in the front matter block. Use it to quickly understand the context, standards, and relationships between pages.
| Page | Description | Status |
|---|---|---|
| Architecture-Overview | Full system architecture, components, data flow | Compleeted |
| Architecture-Data-Fragmentation | B++ data fragmentation security model | Compleeted |
| Architecture-Encryption-Model | AES-256-GCM, envelope encryption, DEK/KEK | Compleeted |
| Architecture-Network-Topology | Servers, networks, firewall rules | Compleeted |
| Architecture-Container-Architecture | All 19+ Docker containers | Compleeted |
| Architecture-Plugin-Architecture | Plugin system, Service Discovery via Consul | Compleeted |
| Architecture-Message-Bus | RabbitMQ topology, VHosts, queues | Compleeted |
| Page | Description | Status |
|---|---|---|
| Security-Principles | Non-negotiable security rules | Compleeted |
| Security-Authentication-Model | Kerberos SSO, adaptive MFA, JWT | Compleeted |
| Security-Authorization-Model | RBAC, scope, Dual Control | Scheduled |
| Security-Audit-Model | Append-only audit, CEF, SIEM | Compleeted |
| Security-NIST-Mapping | NIST SP 800-53 Rev 5 controls mapping | Compleeted |
| Security-FSTEC-Mapping | FSTEC requirements mapping | Compleeted |
| Security-IEC62443-Mapping | ISA/IEC 62443 zones and security levels | Compleeted |
| Security-NERC-CIP-Mapping | NERC CIP controls mapping | Scheduled |
| Page | Description | Status |
|---|---|---|
| Database-Schema-Overview | Three-database architecture, isolation principles | Scheduled |
| Database-Identity-DB | Full Identity DB schema | Scheduled |
| Database-Assets-DB | Full Assets DB schema | Scheduled |
| Database-Secrets-DB | Full Secrets DB schema | Scheduled |
| Page | Description | Status |
|---|---|---|
| Workflow-Checkout | Full checkout flow with Dual Control | Scheduled |
| Workflow-Rotation | Online and offline password rotation | Scheduled |
| Workflow-Access-Task | ACCESS_TASK — password retrieval workflow | Scheduled |
| Workflow-Rotation-Task | ROTATION_TASK — password change workflow | Scheduled |
| Workflow-Owner-Approval | SSO-gated owner approval flow | Scheduled |
| Page | Description | Status |
|---|---|---|
| API-Overview | Conventions, versioning, authentication headers | Scheduled |
| API-Authentication | /auth endpoints | Scheduled |
| API-MFA | /mfa endpoints | Scheduled |
| API-Checkouts | /checkouts endpoints | Scheduled |
| API-Assets | /locations/.../assets endpoints | Scheduled |
| API-Credentials | /credentials endpoints | Scheduled |
| API-Maintenance | /maintenance endpoints | Scheduled |
| API-Audit | /audit endpoints | Scheduled |
| Page | Description | Status |
|---|---|---|
| UI-Login-Flow | Kerberos SSO + MFA login | Scheduled |
| UI-Operator-Flow | Task execution + checkout + signed form | Scheduled |
| UI-Admin-Flow | System management | Scheduled |
| UI-Auditor-Flow | Audit log and compliance reports | Scheduled |
| Page | Description | Status |
|---|---|---|
| Operations-Deployment-Guide | Full infrastructure deployment | Scheduled |
| Operations-Vault-Init | HashiCorp Vault init + Shamir unseal | Scheduled |
| Operations-Network-Setup | Firewall, mTLS, PKI certificates | Scheduled |
| Operations-Monitoring | Grafana dashboards, alerts, metrics | Scheduled |
| Operations-Backup-Recovery | Backup strategy and recovery procedures | Scheduled |
| Page | Description | Status |
|---|---|---|
| Plugin-Development | How to build a VaultFlower plugin | Scheduled |
| Plugin-TOTP | TOTP MFA plugin | Scheduled |
| Plugin-WebAuthn | WebAuthn / YubiKey plugin | Scheduled |
| Plugin-Smartcard | Mifare smartcard + PIN plugin | Scheduled |
| ADR | Decision |
|---|---|
| ADR-001-Monorepo | Monorepo structure |
| ADR-002-Data-Fragmentation | B++ data fragmentation model |
| ADR-003-RabbitMQ-VHosts | Hybrid VHost strategy |
| ADR-004-JWT-Blocklist | JWT + Vault Blocklist pattern |
| ADR-005-Plugin-Architecture | Docker-based plugin system |
| ADR-006-MinIO-Storage | MinIO for document storage |
| ADR-007-Consul-Discovery | Consul for Service Discovery |
| Page | Description |
|---|---|
| Contributing-Guide | How to contribute to VaultFlower |
| Contributing-Code-Style | Code standards and conventions |
| Contributing-Security-Reporting | How to report security vulnerabilities |
| Concept | Short Definition |
|---|---|
| Data Fragmentation B++ | Three physically separate databases. No single DB contains a complete data picture. |
| Dual Control | Every password checkout requires two independent MFA authorizations. |
| Vault Assembly Token | Time-bound token issued by HashiCorp Vault that authorizes data assembly across all three databases. |
| ROTATION_TASK | Structured work order for changing a privileged password. |
| ACCESS_TASK | Structured work order for reading a privileged password without changing it. |
| Owner Approval | System owner approves every task via SSO-gated one-time email link before execution. |
| Shamir Secret Sharing | Vault master key split across 5 administrators. Requires 3 to unseal. |
| CEF | Common Event Format — structured SIEM event format used for all audit events. |
| Append-only Audit | Audit tables have INSERT-only grants. No UPDATE or DELETE ever permitted. |
| Standard | Full Name | Relevance |
|---|---|---|
| NIST SP 800-53 | Security and Privacy Controls for Information Systems | Access control, audit, identification |
| FSTEC | Federal Service for Technical and Export Control (Russia) | State secret protection requirements |
| ISA/IEC 62443 | Industrial Automation and Control Systems Security | OT/ICS zones, security levels |
| NERC CIP | North American Electric Reliability Corporation Critical Infrastructure Protection | Critical infrastructure cybersecurity |
VaultFlower — Because every privileged account deserves a lifecycle.