Skip to content
Maks Zaikin edited this page Jun 26, 2026 · 5 revisions

title: "VaultFlower — Documentation Home" category: "navigation" version: "1.0" last_updated: "2024-01-15" standards: [] related_pages: ["AI-Guide", "Architecture-Overview", "Security-Principles"] ai_summary: "Entry point for VaultFlower documentation. Contains full navigation map and quick links to all sections."

🌸 VaultFlower Documentation

Enterprise Privileged Password Vault — Open-source PAM solution for managing local administrator accounts on isolated, offline, and non-domain assets in IT and ICS/OT environments.


🤖 For AI Agents

If you are an AI assistant helping a developer work with VaultFlower, start here:

  1. Read AI-Guide — how to navigate this documentation efficiently
  2. Read Architecture-Overview — understand the full system
  3. Read Security-Principles — non-negotiable constraints
  4. Read the specific section relevant to your task

Every page in this Wiki contains machine-readable metadata in the front matter block. Use it to quickly understand the context, standards, and relationships between pages.


📚 Documentation Map

🏗️ Architecture

Page Description Status
Architecture-Overview Full system architecture, components, data flow Compleeted
Architecture-Data-Fragmentation B++ data fragmentation security model Compleeted
Architecture-Encryption-Model AES-256-GCM, envelope encryption, DEK/KEK Compleeted
Architecture-Network-Topology Servers, networks, firewall rules Compleeted
Architecture-Container-Architecture All 19+ Docker containers Compleeted
Architecture-Plugin-Architecture Plugin system, Service Discovery via Consul Compleeted
Architecture-Message-Bus RabbitMQ topology, VHosts, queues Compleeted

🔐 Security

Page Description Status
Security-Principles Non-negotiable security rules Compleeted
Security-Authentication-Model Kerberos SSO, adaptive MFA, JWT Compleeted
Security-Authorization-Model RBAC, scope, Dual Control Compleeted
Security-Audit-Model Append-only audit, CEF, SIEM Compleeted
Security-NIST-Mapping NIST SP 800-53 Rev 5 controls mapping Compleeted
Security-FSTEC-Mapping FSTEC requirements mapping Compleeted
Security-IEC62443-Mapping ISA/IEC 62443 zones and security levels Compleeted
Security-NERC-CIP-Mapping NERC CIP controls mapping Compleeted

🗄️ Database

Page Description Status
Database-Schema-Overview Three-database architecture, isolation principles Compleeted
Database-Identity-DB Full Identity DB schema Compleeted
Database-Assets-DB Full Assets DB schema Compleeted
Database-Secrets-DB Full Secrets DB schema Compleeted

🔄 Workflows

Page Description Status
Workflow-Checkout Full checkout flow with Dual Control Compleeted
Workflow-Rotation Online and offline password rotation Scheduled
Workflow-Access-Task ACCESS_TASK — password retrieval workflow Scheduled
Workflow-Rotation-Task ROTATION_TASK — password change workflow Scheduled
Workflow-Owner-Approval SSO-gated owner approval flow Scheduled

📡 API Reference

Page Description Status
API-Overview Conventions, versioning, authentication headers Scheduled
API-Authentication /auth endpoints Scheduled
API-MFA /mfa endpoints Scheduled
API-Checkouts /checkouts endpoints Scheduled
API-Assets /locations/.../assets endpoints Scheduled
API-Credentials /credentials endpoints Scheduled
API-Maintenance /maintenance endpoints Scheduled
API-Audit /audit endpoints Scheduled

🖥️ UI Flows

Page Description Status
UI-Login-Flow Kerberos SSO + MFA login Scheduled
UI-Operator-Flow Task execution + checkout + signed form Scheduled
UI-Admin-Flow System management Scheduled
UI-Auditor-Flow Audit log and compliance reports Scheduled

🚀 Operations

Page Description Status
Operations-Deployment-Guide Full infrastructure deployment Scheduled
Operations-Vault-Init HashiCorp Vault init + Shamir unseal Scheduled
Operations-Network-Setup Firewall, mTLS, PKI certificates Scheduled
Operations-Monitoring Grafana dashboards, alerts, metrics Scheduled
Operations-Backup-Recovery Backup strategy and recovery procedures Scheduled

🧩 Plugins

Page Description Status
Plugin-Development How to build a VaultFlower plugin Scheduled
Plugin-TOTP TOTP MFA plugin Scheduled
Plugin-WebAuthn WebAuthn / YubiKey plugin Scheduled
Plugin-Smartcard Mifare smartcard + PIN plugin Scheduled

📋 Architecture Decision Records

ADR Decision
ADR-001-Monorepo Monorepo structure
ADR-002-Data-Fragmentation B++ data fragmentation model
ADR-003-RabbitMQ-VHosts Hybrid VHost strategy
ADR-004-JWT-Blocklist JWT + Vault Blocklist pattern
ADR-005-Plugin-Architecture Docker-based plugin system
ADR-006-MinIO-Storage MinIO for document storage
ADR-007-Consul-Discovery Consul for Service Discovery

🤝 Contributing

Page Description
Contributing-Guide How to contribute to VaultFlower
Contributing-Code-Style Code standards and conventions
Contributing-Security-Reporting How to report security vulnerabilities

🔑 Key Concepts

Concept Short Definition
Data Fragmentation B++ Three physically separate databases. No single DB contains a complete data picture.
Dual Control Every password checkout requires two independent MFA authorizations.
Vault Assembly Token Time-bound token issued by HashiCorp Vault that authorizes data assembly across all three databases.
ROTATION_TASK Structured work order for changing a privileged password.
ACCESS_TASK Structured work order for reading a privileged password without changing it.
Owner Approval System owner approves every task via SSO-gated one-time email link before execution.
Shamir Secret Sharing Vault master key split across 5 administrators. Requires 3 to unseal.
CEF Common Event Format — structured SIEM event format used for all audit events.
Append-only Audit Audit tables have INSERT-only grants. No UPDATE or DELETE ever permitted.

🏷️ Security Standards Reference

Standard Full Name Relevance
NIST SP 800-53 Security and Privacy Controls for Information Systems Access control, audit, identification
FSTEC Federal Service for Technical and Export Control (Russia) State secret protection requirements
ISA/IEC 62443 Industrial Automation and Control Systems Security OT/ICS zones, security levels
NERC CIP North American Electric Reliability Corporation Critical Infrastructure Protection Critical infrastructure cybersecurity

📌 Quick Links


VaultFlower — Because every privileged account deserves a lifecycle.