Handling of sensitive data in CDP

CDP uses Vault to encrypt sensitive data (such as tokens, passwords, and encryption keys).

CDP Private cloud uses the Embedded/External Vault to store user credentials and some critical system data pertaining to the Control Plane that includes the machine user password used to create the control plane, the contents of the kubeconfig file which provides admin access to the Kubernetes Control Plane, and the LDAP credentials configured for the ECS Cluster.

The CDP Private Cloud installer can install Vault, but for OpenShift environments, typically this is a pre-existing customer-managed external Vault deployment.

  • For more information on how to install an external HashiCorp Vault, see Install Vault.

    Vault install notes:

    • Supported Vault version: 1.4.0
    • Secrets engine: kv-v2
    • Auth type: kubernetes
  • For more information on how to configure an external HashiCorp Vault for CDP Private Cloud, see External Vault Requirements.