This article refers to the Credhub FAQs on how its handling secrets

If you are using Credhub Tile as your central vault. Here are common questions raised to us by customers to help with their regulatory edits:

Question: As per github documentation , Credhub generates a site-specific AES256 key on startup and then it concatenates a user-defined password from its configuration file with a randomly generated salt stores in its database and hashes the resulting string to deterministically generate an AES256 key. Can you tell me under which location this finally encryption key will be maintained and in which form. Will it be in simple text or encryption. How can I get access to this final master key?

Answer: As documented in the same paragraph of the same file: “an AES256 key, which it holds in memory for the lifetime of the server”. The AES key isn’t stored anywhere, it is calculated at startup and kept in memory. The AES key is calculated from 2 static strings: the password passed in the configuration, and the random salt stored in the DB.

Question: Can your provide more details with randomly-generated salt?

Answer: CredHub uses cryptographically secure random generators.

Question: Does Credhub adheres to FIPS compliance

Answer: Yes Credhub is FIPS compliant.

Question: How frequently credhub rotates this salt password and re encrypts all our secrets using new master key

Answer: The master key is rotated whenever CredHub is redeployed with a new encryption password. They are not automatically rotated. The encryption key salt is never rotated. It is generated when a new encryption key is provided, and kept forever with that specific key. If you add a new key, it will get a fresh salt.

Question: What is the algorithm used to generate salt password and master key.

Answer: The password is provided externally, Tanzu Application Service(TAS) does not control password. The salt is randomly generated. The master key is a hash of the concatenation of the password and the salt.