Vault

Vault is a secrets management service for API keys, credentials, and environment variables. All secrets are encrypted at rest with AES-256-GCM and backed by AWS KMS or a local master key.

Features

Encrypted Storage

AES-256-GCM encryption at rest

Version History

Full audit trail with rollback

Environment Separation

Prod/Staging/Dev isolation

Access Control

Role-based permissions

Quick Start

# Store a secret
BrainzLab::Vault.set("stripe/api_key", "sk_live_xxx")

# Retrieve a secret
api_key = BrainzLab::Vault.get("stripe/api_key")

# Store with environment
BrainzLab::Vault.set("database/password", "secret123", environment: :production)

Security Model

┌─────────────────────────────────────────────────────┐
│                     Your App                         │
│                        │                             │
│                        ▼                             │
│              BrainzLab::Vault.get()                 │
│                        │                             │
│                        ▼                             │
│  ┌─────────────────────────────────────────────┐    │
│  │               Vault API                      │    │
│  │                    │                         │    │
│  │                    ▼                         │    │
│  │  ┌─────────────────────────────────────┐    │    │
│  │  │  Encrypted Storage (PostgreSQL)     │    │    │
│  │  │  + AES-256-GCM encryption           │    │    │
│  │  │  + AWS KMS for key management       │    │    │
│  │  └─────────────────────────────────────┘    │    │
│  └─────────────────────────────────────────────┘    │
└─────────────────────────────────────────────────────┘

Key Features

Feature	Description
Encryption	AES-256-GCM at rest
Key Management	AWS KMS or local master key
Versioning	Full history for every secret
Rollback	Restore to any previous version
Audit Log	Who accessed what, when
RBAC	Role-based access control
Environments	Separate secrets per environment

Environment Separation

Secrets are isolated by environment:

Environment	Access
Production	Requires approval, locked by default
Staging	Team access
Development	Open access

# Production secret (requires special access)
BrainzLab::Vault.get("database/password", environment: :production)

# Development secret
BrainzLab::Vault.get("database/password", environment: :development)

Next Steps

Secrets

Store and retrieve secrets

Environments

Manage environment-specific secrets

Access Control

Configure permissions

Audit Log

View access history

Vault

Vault API

Vault MCP

Vault Overview

Vault

Features

Encrypted Storage

Version History

Environment Separation

Access Control

Quick Start

Security Model

Key Features

Environment Separation

Next Steps

Secrets

Environments

Access Control

Audit Log

Vault

Vault API

Vault MCP

​Vault

​Features

Encrypted Storage

Version History

Environment Separation

Access Control

​Quick Start

​Security Model

​Key Features

​Environment Separation

​Next Steps

Secrets

Environments

Access Control

Audit Log

Vault

Features

Quick Start

Security Model

Key Features

Environment Separation

Next Steps