Store and manage secrets using Neumann's encrypted vault. By the end you will have secrets stored with AES-256-GCM encryption and graph-based access control.
- Neumann installed (Installation)
- A running Neumann shell
neumann --wal-dir ./vault-dataStore an API key as an encrypted secret:
VAULT PUT 'api-keys/openai' 'sk-proj-abc123def456'Verify it was stored:
VAULT GET 'api-keys/openai'You should see the decrypted value sk-proj-abc123def456.
VAULT PUT 'api-keys/stripe' 'sk_live_xyz789'
VAULT PUT 'database/production/password' 'super-secret-db-pass'
VAULT PUT 'certificates/tls-key' '-----BEGIN PRIVATE KEY-----...'VAULT LIST 'api-keys/'You should see api-keys/openai and api-keys/stripe.
Create access policies using the graph engine. Define roles and permissions:
NODE CREATE role { name: 'developer' }
NODE CREATE role { name: 'ops' }
NODE CREATE secret_group { name: 'api-keys' }
NODE CREATE secret_group { name: 'database' }Connect roles to secret groups:
EDGE CREATE 'node:1' -> 'node:3' : can_read
EDGE CREATE 'node:2' -> 'node:3' : can_read
EDGE CREATE 'node:2' -> 'node:4' : can_read
EDGE CREATE 'node:2' -> 'node:4' : can_writeThis gives:
- Developers: read access to API keys
- Ops: read access to API keys, read+write access to database secrets
VAULT PUT 'api-keys/openai' 'sk-proj-new-key-789'The old value is replaced. Retrieve to confirm:
VAULT GET 'api-keys/openai'VAULT DELETE 'api-keys/stripe'Verify it was removed:
VAULT GET 'api-keys/stripe'This should return an error indicating the secret was not found.
You should have:
- Secrets stored with encryption (VAULT PUT/GET working)
- Hierarchical secret paths (
api-keys/,database/) - Graph-based access control nodes and edges
- Secret update and deletion working
- Vault Access Control -- advanced access policies
- Configuration Reference -- vault config options
- Building a Knowledge Graph -- more graph patterns