Storage Backends

HashiCorp Vault

Prerequisites

  • A running Vault instance with the KV v2 secrets engine enabled
  • A Vault token with read/write/delete/list permissions on your path
  • VAULT_TOKEN set on the ev API server

Step 1: Enable KV v2 (if not already)

vault secrets enable -path=secret kv-v2

Step 2: Create a Policy

path "secret/data/myapp/*" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
 
path "secret/metadata/myapp/*" {
  capabilities = ["read", "delete", "list"]
}
vault policy write ev-policy policy.hcl
vault token create -policy=ev-policy

Step 3: Configure Credentials

Set VAULT_TOKEN on the ev API server:

VAULT_TOKEN=hvs.XXXXXXXXXXXXXXXXXXXXXXXX

Step 4: Connect

ev backend set vault --address http://localhost:8200 --prefix myapp/

To use a custom KV mount:

ev backend set vault --address http://localhost:8200 --prefix myapp/ --mount my-kv

Step 5: Import Existing Secrets

ev import vault --address http://localhost:8200 --prefix myapp/prod/ --env prod

How Secrets Are Stored

Each secret is stored as a separate KV entry:

secret/data/myapp/{env-name}/{KEY}

Each entry contains {"value": "the-secret-value"} as the KV data.

Limitations

  • No rollback: Same as AWS SM — ev doesn't store values for external backends
  • No E2E encryption: Secrets stored as plaintext in Vault
  • VAULT_TOKEN required: The API server needs a valid token. Use Vault agent or auto-auth for production.

Previous

1Password

On this page