Secret Vault

The Secret Vault in Logto is designed to securely store sensitive user data—such as access tokens, API keys, passcodes, or any other confidential information that requires protection. These secrets are often used to access third-party services on behalf of the user, making secure storage essential.

Encryption scheme

To protect sensitive data, the Secret Vault employs a robust encryption scheme based on Data Encryption Keys (DEK) and Key Encryption Keys (KEK).

• Per-secret encryption: Each secret is encrypted with its own unique DEK, ensuring that even if one key is compromised, other secrets remain secure.
• Key wrapping: The DEK itself is encrypted (or "wrapped") with a KEK, which is securely managed and stored by the system.
• Layered security: This two-tiered approach ensures that even if part of the system is breached, attackers cannot access the secrets without both the DEK and the KEK.
• Minimized exposure: Secrets are decrypted only when absolutely necessary, reducing the risk of accidental exposure and aligning with best practices for handling sensitive data.

This layered encryption model provides strong protection for users’ most sensitive credentials and tokens, while still allowing secure access when needed.

Secret types

Federated token set

Securely store and manage access and refresh tokens issued by federated third-party identity providers (IdPs) for use in downstream API calls.

info:

Currently, federated token set is the only supported secret type out of the box. However, the Secret Vault is designed to accommodate any kind of sensitive information. If you need support for additional secret types, please contact us — we’re happy to help.