What is the Vault?
The Vault is where you store and manage cryptographic keys, TLS certificates, image-pull registries, and encrypted credentials on Bahriya. Every type follows the same lifecycle — versioned, attached per project, materialised inside the containers that use it — so you learn the model once and apply it everywhere.
The Vault is where you store and manage cryptographic keys, TLS certificates, image-pull registries, and encrypted credentials on Bahriya. Every type follows the same lifecycle — versioned, attached per project, materialised inside the containers that use it — so you learn the model once and apply it everywhere.
Vault item types
| Type | What it stores | Use case |
|---|---|---|
| TLS Bundles | CA cert + server cert + private key (PEM) | HTTPS termination, mTLS, internal service TLS |
| x509 Certificates | A single certificate (PEM) | Client certificates, signing certs |
| GPG Keypairs | Public + private key (armored) + optional passphrase | Package signing, encrypted backups |
| SSH Keypairs | Public + private key | Deploy keys, git access |
| Encryption Keys | Raw cryptographic key material | Disk encryption, application-level encryption |
| Registries | Username + password for a private OCI image registry | Pulling private images from Docker Hub, GHCR, ECR, self-hosted |
| Secrets | A single encrypted value, injected as an environment variable | Passwords, API keys, tokens |
How it works
- Create a vault item in your organisation. Bahriya encrypts the sensitive material at rest and extracts metadata (certificate subject, expiry date, key fingerprint) so you can see it at a glance.
- Attach the item to one or more projects. This is when billing starts for the attached rate.
- Wire the item to containers within those projects. For TLS bundles, this means choosing a mount path where the certificate files appear inside the container.
- Rotate when needed. A new version is created and marked current. Previous versions are retained (default: last 5) for instant rollback.
See Project Attachments for a deeper walkthrough of the attach + wire flow across all 11 types, including the in-use detach guard and the wiring shape per type.
Billing
Each vault item type has two rates:
- Base rate charged per month while the item exists in your organisation
- Attached rate charged per region per month while attached to a project
See the pricing page for current rates.
Managing vault items
You can manage vault items through:
- The Console UI under your organisation's Vaults section
- The Reis CLI using commands like
reis tls_bundle:create,reis tls_bundle:rotate - The Terraform provider using resources like
bahriya_tls_bundle - The API directly at
/organisations/{id}/tls_bundles(and similar endpoints per type)