secretumvault/svault.toml.example

# SecretumVault Configuration Example
# Copy this file to svault.toml and customize for your environment

[vault]
# Crypto backend: "openssl" | "aws-lc" | "rustcrypto"
crypto_backend = "openssl"

[server]
# Listen address and port
address = "0.0.0.0:8200"

# TLS Configuration (optional)
# tls_cert = "/etc/secretumvault/tls/cert.pem"
# tls_key = "/etc/secretumvault/tls/key.pem"
# tls_client_ca = "/etc/secretumvault/tls/ca.pem"  # For mTLS

request_timeout_secs = 30

[storage]
# Storage backend: "filesystem" | "surrealdb" | "etcd" | "postgresql"
backend = "filesystem"

[storage.filesystem]
# Path for filesystem storage
path = "/var/lib/secretumvault/data"

# Example SurrealDB configuration
# [storage.surrealdb]
# endpoint = "ws://localhost:8000"
# namespace = "vault"
# database = "production"
# username = "vault"
# password = "${SURREAL_PASSWORD}"

# Example PostgreSQL configuration
# [storage.postgresql]
# url = "${DATABASE_URL}"

[crypto]
# OpenSSL specific configuration
[crypto.openssl]
# No specific options for OpenSSL backend

# AWS-LC specific configuration (if using aws-lc backend)
# [crypto.aws_lc]
# enable_pqc = false
# hybrid_mode = true

[seal]
# Seal mechanism: "shamir" | "auto" | "transit"
seal_type = "shamir"

# Shamir Secret Sharing configuration
[seal.shamir]
shares = 5      # Total number of key shares
threshold = 3   # Minimum shares needed to unseal

# Auto-unseal with KMS (optional)
# [seal.auto]
# unseal_type = "aws-kms"
# key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
# region = "us-east-1"

[auth.cedar]
# Cedar policy configuration
# policies_dir = "/etc/secretumvault/policies"
# entities_file = "/etc/secretumvault/entities.json"

[auth.token]
# Token TTL in seconds
default_ttl = 3600      # 1 hour
max_ttl = 86400         # 24 hours

[engines]
# Configure secrets engines with mount paths

# KV Engine (Key-Value secrets)
[engines.kv]
path = "/secret/"
versioned = true

# Transit Engine (Encryption as a Service)
[engines.transit]
path = "/transit/"

# PKI Engine (Certificate Authority)
# [engines.pki]
# path = "/pki/"

# Database Engine (Dynamic secrets)
# [engines.database]
# path = "/database/"

[logging]
# Log level: "trace" | "debug" | "info" | "warn" | "error"
level = "info"

# Log format: "json" | "pretty"
format = "json"

# Optional: log file path
# output = "/var/log/secretumvault/vault.log"

# Use ANSI colors in logs
ansi = true

[telemetry]
# Prometheus metrics port (optional)
# prometheus_port = 9090

# Enable distributed tracing
enable_trace = false
chore: source code, docs and tools 2025-12-22 21:34:01 +00:00			`# SecretumVault Configuration Example`
			`# Copy this file to svault.toml and customize for your environment`

			`[vault]`
			`# Crypto backend: "openssl" \| "aws-lc" \| "rustcrypto"`
			`crypto_backend = "openssl"`

			`[server]`
			`# Listen address and port`
			`address = "0.0.0.0:8200"`

			`# TLS Configuration (optional)`
			`# tls_cert = "/etc/secretumvault/tls/cert.pem"`
			`# tls_key = "/etc/secretumvault/tls/key.pem"`
			`# tls_client_ca = "/etc/secretumvault/tls/ca.pem" # For mTLS`

			`request_timeout_secs = 30`

			`[storage]`
			`# Storage backend: "filesystem" \| "surrealdb" \| "etcd" \| "postgresql"`
			`backend = "filesystem"`

			`[storage.filesystem]`
			`# Path for filesystem storage`
			`path = "/var/lib/secretumvault/data"`

			`# Example SurrealDB configuration`
			`# [storage.surrealdb]`
			`# endpoint = "ws://localhost:8000"`
			`# namespace = "vault"`
			`# database = "production"`
			`# username = "vault"`
			`# password = "${SURREAL_PASSWORD}"`

			`# Example PostgreSQL configuration`
			`# [storage.postgresql]`
			`# url = "${DATABASE_URL}"`

			`[crypto]`
			`# OpenSSL specific configuration`
			`[crypto.openssl]`
			`# No specific options for OpenSSL backend`

			`# AWS-LC specific configuration (if using aws-lc backend)`
			`# [crypto.aws_lc]`
			`# enable_pqc = false`
			`# hybrid_mode = true`

			`[seal]`
			`# Seal mechanism: "shamir" \| "auto" \| "transit"`
			`seal_type = "shamir"`

			`# Shamir Secret Sharing configuration`
			`[seal.shamir]`
			`shares = 5 # Total number of key shares`
			`threshold = 3 # Minimum shares needed to unseal`

			`# Auto-unseal with KMS (optional)`
			`# [seal.auto]`
			`# unseal_type = "aws-kms"`
			`# key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"`
			`# region = "us-east-1"`

			`[auth.cedar]`
			`# Cedar policy configuration`
			`# policies_dir = "/etc/secretumvault/policies"`
			`# entities_file = "/etc/secretumvault/entities.json"`

			`[auth.token]`
			`# Token TTL in seconds`
			`default_ttl = 3600 # 1 hour`
			`max_ttl = 86400 # 24 hours`

			`[engines]`
			`# Configure secrets engines with mount paths`

			`# KV Engine (Key-Value secrets)`
			`[engines.kv]`
			`path = "/secret/"`
			`versioned = true`

			`# Transit Engine (Encryption as a Service)`
			`[engines.transit]`
			`path = "/transit/"`

			`# PKI Engine (Certificate Authority)`
			`# [engines.pki]`
			`# path = "/pki/"`

			`# Database Engine (Dynamic secrets)`
			`# [engines.database]`
			`# path = "/database/"`

			`[logging]`
			`# Log level: "trace" \| "debug" \| "info" \| "warn" \| "error"`
			`level = "info"`

			`# Log format: "json" \| "pretty"`
			`format = "json"`

			`# Optional: log file path`
			`# output = "/var/log/secretumvault/vault.log"`

			`# Use ANSI colors in logs`
			`ansi = true`

			`[telemetry]`
			`# Prometheus metrics port (optional)`
			`# prometheus_port = 9090`

			`# Enable distributed tracing`
			`enable_trace = false`