KVv2 Password Policy and Generation#
The KV secrets engine version 2 (KVv2) provides built-in capabilities for generating random strings and passwords with configurable policies. This feature allows teams to generate secure, policy-compliant passwords directly within Vault and store them in their namespace's KV store.
Overview#
Teams have two options for password generation:
Option A: Use Default Policy (One-Step Process)#
- Generate and Store - Use pre-created
umn_default_policyimmediately
Option B: Create Custom Policy (Two-Step Process)#
- Create Password Policy - Define custom generation rules
- Generate and Store - Use your custom policy to generate passwords
UMN Password Standards#
The University follows UIS security standards requiring complex passwords that are:
- 16 or more characters in length
- Contain two or more types of characters:
- Lower case letters
- Upper case letters
- Numbers
- Symbols/special characters
Note
The umn_default_policy is designed to meet all UMN password standards including 16+ character length and multiple character types as outlined above.!!!
Step 1: Login and Set Environment#
# Set environment variables
export VAULT_ADDR=https://hcp-vault-private-vault-fc507e0d.5d5b1f21.z1.hashicorp.cloud:8200
# Login via SAML
vault login --method=saml --namespace=admin
# Set your team's namespace
export VAULT_NAMESPACE=admin/CESI
Step 2: Password Generation Options#
Option A: Use Pre-created UMN Policy (Recommended)#
A default password policy umn_default_policy has been pre-created in all team namespaces & sub-namespaces following UIS requirements. Teams can use this immediately without setup:
# Generate and store password using UMN default policy
vault kv put secret/generated-password \
password="$(vault read -field=password sys/policies/password/umn_default_policy/generate)"
Example Response:
====== Secret Path ======
secret/data/generated-password
======= Metadata =======
Key Value
--- -----
created_time 2025-01-15T10:30:15.123456789Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
Option B: Create Custom Team Policy (Advanced)#
If your team needs specific password requirements beyond the UMN default policy:
# Create custom team policy
vault write sys/policies/password/team-custom-policy policy=- <<EOF
length = 20
rule "charset" {
charset = "abcdefghijklmnopqrstuvwxyz"
min-chars = 3
}
rule "charset" {
charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
min-chars = 3
}
rule "charset" {
charset = "0123456789"
min-chars = 3
}
rule "charset" {
charset = "!@#$%^&*"
min-chars = 3
}
EOF
Example Response:
Success! Data written to: sys/policies/password/team-custom-policy
# Generate and store password using custom policy
vault kv put secret/generated-password \
password="$(vault read -field=password sys/policies/password/team-custom-policy/generate)"
Example Response:
====== Secret Path ======
secret/data/generated-password
======= Metadata =======
Key Value
--- -----
created_time 2025-09-05T10:30:15.123456789Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
Step 3: Retrieve Generated Password#
# Retrieve the generated password
vault kv get secret/generated-password
Example Response:
====== Secret Path ======
secret/data/generated-password
======= Metadata =======
Key Value
--- -----
created_time 2025-09-05T10:30:15.123456789Z
custom_metadata <nil>
deletion_time n/a
destroyed false
version 1
====== Data ======
Key Value
--- -----
password Kx8#mP2vQ9$wE7rT
Common Use Cases#
Database Password Generation#
# Generate database password
vault kv put secret/database-password \
username="app_user" \
password="$(vault read -field=password sys/policies/password/umn_default_policy/generate)"
Policy Guidelines#
Use the default policy (umn_default_policy) when:
- Standard UIS security requirements are sufficient
- No specific compliance requirements beyond UIS standards
- Simplicity and consistency are preferred
- Quick implementation is needed
Create custom policies when:
- Specific compliance requirements beyond UIS standards
- Third-party systems with unique password requirements
- Enhanced security for critical applications requiring longer passwords
- Legacy systems with character restrictions
Best Practices(Recommended)#
- Use the default policy (
umn_default_policy) for most use cases - Use the one-liner approach for simple generation and storage
- Create custom policies only when necessary for specific requirements
- Include metadata when storing (generation time, policy used, purpose)