Is HashiCorp Vault the correct tool to store users sensitive information

Question

Is Vault the correct tool to store sensitive information about users, eg. theirs pay rate or personal id?

"Normal" employee/user must only have access to his own data but the users with accountancy role must have access to everyone data. Users are authenticated with ldap so I thought Vault would be a good option since it can integrate with ldap and I could use its policies to restrict access.

I cannot encrypt with secret environment variable cause not even DevOps are supposed to have access to the sensitive data of the users.

Answer 1

Vault is strong on security, so you don't have to worry about safely encrypting your data at rest.

But Vault is not a database. It is a basic key-value store. You will have to come up with a scheme that allows you to go staight to the data you are looking for, like maybe querying a hash of some value like employee_id. Whatever attribute you pick is the only one you can "query" Vault with though. Actually, "retreive" would be a better word.

Not to mention that Vault will not run itself. It is yet another piece of infrastructure to manage, maybe even two depending of your choice of storage engine. Then you will have to implement authentication, authorization based on least privileges in it.

So with very details on your use case and risk scenario, I would consider storing that sensitive data in a plain old database (and implement strict authn, authz and audit there).

Your application could encrypt the data before sending it to the database. That's the part Vault was designed to solve.