Vault
Manage cryptographic keys, TLS certificates, image-pull registries, and encrypted credentials as versioned, org-scoped resources.
8 articles
What is the Vault?
The Vault is where you store and manage cryptographic keys, TLS certificates, image-pull registries, and encrypted credentials on Bahriya. Every type follows the same lifecycle — versioned, attached per project, materialised inside the containers that use it — so you learn the model once and apply it everywhere.
2 minTLS Bundles
A TLS bundle stores the three pieces of certificate material your containers need for encrypted communication: a CA certificate, a server certificate, and a private key.
2 minX.509 Certificates
An X.509 certificate stores a single PEM-encoded certificate. Unlike a TLS bundle, it does not include a private key or a CA certificate -- it holds one certificate file only.
2 minGPG Keypairs
A GPG keypair stores an ASCII-armoured GPG public key and private key pair. Both halves are encrypted at rest and delivered to your containers as separate files.
2 minSSH Keypairs
An SSH keypair stores an SSH public key and its corresponding PEM-encoded private key. Both halves are encrypted at rest and delivered to your containers as separate files.
2 minEncryption Keys
An encryption key stores a symmetric encryption key (for example an AES-256 key) in the Bahriya vault. The raw key material is encrypted at rest and delivered to your containers as a single file.
2 minRegistries
A registry stores the credentials Bahriya uses to pull container images from a private OCI registry. Any OCI-compliant registry is supported: Docker Hub, GitHub Container Registry (ghcr.io), GitLab Container Registry, AWS Elastic Container Registry, self-hosted Harbor, and so on.
3 minSecrets
A secret stores a single sensitive value — a database password, an API key, a signing token, an OAuth client secret — that your container needs at runtime but should never appear in logs, source code, or your container image.
4 min