Secure secret and encryption key management with rotation support.
## Overview The Vault page provides a secure interface for managing secrets and encryption keys used throughout the DeltaForge platform. Security administrators and data engineers use this page to store connection passwords, API tokens, encryption keys, and other sensitive material that pipelines and connections reference at runtime. The vault integrates with the credential storage backend configured on the Credential Storage page. Secrets can be created directly in the vault or linked from an external backend (Azure Key Vault, AWS Secrets Manager, or GCP Secret Manager) so that the platform resolves them at execution time without duplicating sensitive material. ## Key Features - **Secret entry management.** Create, update, and delete secret entries. Each entry has a unique key name, a masked value, and optional metadata such as expiration date and owner. Secret values are never displayed in plaintext after initial creation. - **Encryption key storage.** Store symmetric and asymmetric encryption keys used by data protection policies, pseudonymisation transforms, and encrypted Delta Lake tables. Key metadata (algorithm, key length, creation date) is visible without exposing the key material itself. - **Key rotation.** Rotate encryption keys on a defined schedule or on demand. Rotation creates a new key version while retaining previous versions so that data encrypted with older keys remains readable during migration. - **Linked secrets from external backends.** Reference secrets stored in an external credential backend without copying their values into the local vault. Linked secrets resolve dynamically at query and pipeline execution time, ensuring that the platform always uses the current version from the authoritative store. ## Workflow 1. Navigate to the Vault page from the Configuration sidebar. 2. Click the add secret button to create a new entry or link an external secret. 3. For a local secret, provide a key name and the secret value. For a linked secret, select the external backend and the target secret path. 4. Optionally set an expiration date and assign an owner. 5. Save the entry. Pipelines and connections can now reference this secret by its key name. 6. To rotate an encryption key, select the key entry and trigger rotation. Verify that the new version is active. 7. Periodically audit the vault to remove expired or unused entries.