Skip to main content

Secure Store

Secure Store is a core platform-service within the H2O AI Cloud environment designed to securely store, manage and audit sensitive credentials (for example, connector credentials, OAuth clients, etc). It offers a central, high-availability, AI-cloud-native service that allows secrets to be securely stored, versioned, and accessed (either as binary blobs or text strings) via APIs.

Secret

  • A secret is a Workspaced object that contains a collection of metadata and secret versions.
  • The secret alone does not contain any secret data.
  • Secrets employ soft deletion. Deleted secrets be undeleted for 30 days, after which the secret and all associated secret versions are permanently deleted.

Secret versions

  • A secret version stores the actual secret data.
  • You can address individual versions of a secret.
  • Secrets are immutable and can only be updated by creating a new version.
  • Previous versions remain accessible.
  • The name workspaces/*/secrets/*/versions/latest is an alias for the most recently created version.
Note

Secure Store encrypts secret data using Tink, specifically through the Go implementation. Tink meets FIPS 140-2 security requirements when compiled with the BoringCrypto library.

Secure Store uses the AES256_GCM key type and ties the ciphertext to the secret version name.

Keyset

  • A keyset is a set of keys that facilitate key rotation.
  • The primary key in the keyset is used to encrypt new secrets.
  • Administrators can rotate keys at any time, which adds a new key into the keyset and sets it as primary. The key can also be rotated automatically on a configurable schedule.
  • The keyset is stored in a database encrypted by a key encryption key (KEK). Also known as a root key, master key, or unseal key.
  • Secure Store can retrieve the KEK from a list of supported remote KMS:
    • Amazon KMS
    • Google Cloud KMS
    • HashiCorp Vault
    • Azure Key Vault (requires implementing connector)

Using secure store

Secure Store is used across multiple H2O products to simplify secret management. The following tutorials walk through real product workflows that incorporate Secure Store, showing how credentials are stored, retrieved, and injected into connectors or application logic.

Feedback