<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=150 align="right">
<img src=images/Acme.jpeg width=100 align="left">

#  Cubbyhole Secret Engine

<img src="images/vault-cubbyhole-1.png" width=800 >
Cubbyhole is your own storage, a "locker" or "safe place" to store your valuables.  

In Vault, all secrets are namespaced under your token.  It is not possible to reach into another token's cubbyhole even as the root user.  
Compare this to Kev/Value Secrets Engine, where secrets are accessible to any token as long as its policy allows it.


**Cubbyhole** secret engine is used to store arbitrary secrets.
* Enabled by default at the path  **cubbyhole/**
* Cannot be disabled
* its lifetime is linked to the token used to write the data  
    * even **root** token cannot read the data


### Prerequisites
You need to have Vault up and running

`VAULT_UI=true VAULT_REDIRECT_ADDR=http://127.0.0.1:8200 vault server -log-level=trace -dev -dev-root-token-id=root -dev-listen-address=127.0.0.1:8200 -dev-ha -dev-transactional`


### Setup

In [5]:
vault -version

[0mVault v1.6.0 (7ce0bd9691998e0443bc77e98b1e2a4ab1e965d4)[0m


In [3]:
export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_SKIP_VERIFY=true

In [4]:
vault status

[0mKey             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.6.0
Storage Type    inmem_transactional_ha
Cluster Name    vault-cluster-6a9fd92b
Cluster ID      ad4f5b1b-962e-cf1a-33c8-1ba9651d5fa0
HA Enabled      true
HA Cluster      https://127.0.0.1:8201
HA Mode         active[0m


---
### Create Short-Lived Tokens
Do the exercise below twice, each using different tokens!

In [43]:
VAULT_TOKEN=root vault token create -policy=jenkins -ttl=5m

[0m
[93m  * Policy "jenkins" does not exist[0m
[93m[0m
[0mKey                  Value
---                  -----
token                s.Yrei4mF58sKRbjEnIXHIC5ww
token_accessor       ybwRUCcMnJWbufxaxDWG7bfG
token_duration       5m
token_renewable      true
token_policies       ["default" "jenkins"]
identity_policies    []
policies             ["default" "jenkins"][0m


s.NgllFwmsuIEJ0WLfjzaIa6LW
##### We'll use the value of token above

In [44]:
VAULT_TOKEN="s.Yrei4mF58sKRbjEnIXHIC5ww" vault write cubbyhole/mygithub_token token="123456789_5ww"

[0mSuccess! Data written to: cubbyhole/mygithub_token[0m


In [46]:
VAULT_TOKEN="s.Yrei4mF58sKRbjEnIXHIC5ww" vault read cubbyhole/mygithub_token

[0mKey      Value
---      -----
token    123456789_5ww[0m


**root token can not read the cubbyhole**

In [47]:
VAULT_TOKEN="root" vault read cubbyhole/mygithub_token

[91mNo value found at cubbyhole/mygithub_token[0m



### Response Wrapping
Problem:  Say you generated a token.  How  do you **securely distribute** this initial token to the trusted entity?

Solution:
Vault's cubbyhole response wrapping feature.  It ensures that only a single party can unwrap the token and see what's inside.

How it works:
* store the initial token inside a temporary (restricted) token's cubbyhole with a short TTL
* only expect client (trusted identity) can unwrap this secret
    * wrapping token is a **single use** token
    


In [48]:
VAULT_TOKEN=root vault token create -policy=jenkins -wrap-ttl=3m

[0mKey                              Value
---                              -----
wrapping_token:                  s.eHGoTyZJN5uycSPeLARJXD3T
wrapping_accessor:               9DeXWP89duJgqunIsyEIafeO
wrapping_token_ttl:              3m
wrapping_token_creation_time:    2021-01-03 15:33:35.77178 +0800 +08
wrapping_token_creation_path:    auth/token/create
wrapped_accessor:                nbld7mOvBWKiaO8oGcYO4Sqn[0m


**Note:** Compare the output above (with -wrap-ttl) with the previous one without `wrap-ttl`.  

Only one party can unwrap, and only once!

In [49]:
vault unwrap s.eHGoTyZJN5uycSPeLARJXD3T

[0m
[93m  * Policy "jenkins" does not exist[0m
[93m[0m
[0mKey                  Value
---                  -----
token                s.nSNiV6MVKcLiVnaadiKCmrp8
token_accessor       nbld7mOvBWKiaO8oGcYO4Sqn
token_duration       768h
token_renewable      true
token_policies       ["default" "jenkins"]
identity_policies    []
policies             ["default" "jenkins"][0m


**Note:** wrapping token is a **single-use** token

In [50]:
VAULT_TOKEN=s.wYOxfqLgAHZDx7JareVdBlp9 vault unwrap

[91mError unwrapping: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/sys/wrapping/unwrap
Code: 400. Errors:

* wrapping token is not valid or does not exist[0m


&nbsp;

---
#### Thank you.
<img src=images/HashiCorp_PrimaryLogo_Black_RGB.png width=100 class="center">