We're currently improving our custom secrets management system and I'm looking into different solutions such as Hashicorp Vault or AWS KMS.
So far Vault seems to meet most of our current requirements, is an open-source project and provides a lot of very interesting features. However, I haven't found a way to fit the following use case on it: we have hundreds of users in our application. We simetrically encrypt both database records and data files with a different key for each user. We provide our users with the ability to control access to their data by encrypting the user key with a user password, hence, this password must be provided each time data is to be accessed.
I can store each of this user encryption keys in the Vault, and then access dynamically everytime a new request is done, however, I can't find a way to add the user password as a necessary argument of the request. One solution is adding this extra encryption layer on top of Vault and store the encrypted version of the key, but then "encryption as a service" cannot be used as Vault would not be encrypting with the real user key but the encrypted version of the key. In addition, the Vault administrator will allways be able to decrypt users files regardless they provide their passwords or not.
I wonder whether this functionality can be developed on top of Vault using some kind of plugin. Has anybody come across a similar scenario before? Any suggestion idea will be welcomed.
Thanks
