--- layout: docs page_title: Save random strings description: >- Use password policies and the key/value v2 plugins to generate and store random strings in Vault. --- # Save random strings to the key/value v2 plugin Use [password policies](/vault/docs/concepts/password-policies) to generate random strings and save the strings to your key/value v2 plugin. ## Before you start - **You must have `read`, `create`, and `update` permission for password policies. - **You must have `create` and `update` permission for your `kv` v2 plugin**. ## Step 1: Create a password policy file Create an HCL file with a password policy with the desired randomization and generation rules. For example, the following password policy requires a string 20 characters long that includes: - at least one lowercase character - at least one uppercase character - at least one number - at least two special characters ```hcl length=20 rule "charset" { charset = "abcdefghijklmnopqrstuvwxyz" min-chars = 1 } rule "charset" { charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" min-chars = 1 } rule "charset" { charset = "0123456789" min-chars = 1 } rule "charset" { charset = "!@#$%^&*STUVWXYZ" min-chars = 2 } ``` ## Step 2: Save the password policy Use `vault write` to save policies to the password policies endpoint (`sys/policies/password/`): ```shell-session $ vault write sys/policies/password/ policy=@ ``` For example: ```shell-session $ vault write sys/policies/password/randomize policy=@password-rules.hcl Success! Data written to: sys/policies/password/randomize ``` Escape your password policy file and make a `POST` call to [`/sys/policies/password/{policy_name}`](/vault/api-docs/system/policies-password#create-update-password-policy) with your password creation rules: ```shell-session $ jq -Rs '{ "policy": . | gsub("[\\r\\n\\t]"; "") }' | curl \ --request POST \ --header "X-Vault-Token: ${VAULT_TOKEN}" \ "$( ``` For example: ```shell-session $ jq -Rs '{ "policy": . | gsub("[\\r\\n\\t]"; "") }' ./password-rules.hcl | curl \ --request POST \ --header "X-Vault-Token: ${VAULT_TOKEN}" \ --data "$( `/sys/policies/password/{policy_name}` does not return data on success. ## Step 3: Save a random string to `kv` v2 Use `vault read` and the `generate` endpoint of the new password policy to generate a new random string and write it to the `kv` plugin with `vault kv put`: ```shell-session $ vault kv put \ -mount \ \ =$( \ vault read -field password \ sys/policies/password//generate \ ) ``` For example: ```shell-session $ vault kv put \ -mount shared \ /dev/seeds \ seed1=$( \ vault read -field password \ sys/policies/password/randomize/generate \ ) ==== Secret Path ==== shared/data/dev/seeds ======= Metadata ======= Key Value --- ----- created_time 2024-11-15T23:15:31.929717548Z custom_metadata deletion_time n/a destroyed false version 1 ``` Use the [`/sys/policies/password/{policy_name}/generate`](/vault/api-docs/system/policies-password#generate-password-from-password-policy) endpoint of the new password policy to generate a random string and write it to the `kv` plugin with a `POST` call to [`/{plugin_mount_path}/data/{secret_path}`](/vault/api-docs/secret/kv/kv-v2#create-update-secret): ```shell-session $ curl \ --request POST \ --header "X-Vault-Token: ${VAULT_TOKEN}" \ --data \ "{ \"data\": { \"\": \"$( vault read -field password sys/policies/password//generate )\" } }" \ ${VAULT_ADDR}/v1//data/ ``` For example: ```shell-session $ curl \ --request POST \ --header "X-Vault-Token: ${VAULT_TOKEN}" \ --data \ "{ \"data\": { \"seed1\": \"$( vault read -field password sys/policies/password/randomize/generate )\" } }" \ ${VAULT_ADDR}/v1/shared/data/dev/seeds | jq { "request_id": "f9fad221-74e7-72c4-3f5a-9364944c37d9", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "created_time": "2024-11-15T23:33:08.549750507Z", "custom_metadata": null, "deletion_time": "", "destroyed": false, "version": 1 }, "wrap_info": null, "warnings": null, "auth": null, "mount_type": "kv" } ``` ## Step 4: Verify the data in Vault Use [`vault kv get`](/vault/docs/command/kv/read) with the `-field` flag to read the randomized string from the relevant secret path: ```shell-session $ vault kv get \ -mount \ -field \ ``` For example: ```shell-session $ vault kv get -mount shared -field seed1 dev/seeds g0bc0b6W3ii^SXa@*ie5 ``` @include 'gui-instructions/plugins/kv/open-overview.mdx' - Select the **Secret** tab. - Click the eye icon to view the desired key value. ![Partial screenshot of the Vault GUI showing the randomized string stored at the path dev/seeds.](/img/gui/kv/random-string.png) Call the [`/{plugin_mount_path}/data/{secret_path}`](/vault/api-docs/secret/kv/kv-v2#read-secret-version) endpoint to read all the key/value pairs at the secret path: ```shell-session $ curl \ --request GET \ --header "X-Vault-Token: ${VAULT_TOKEN}" \ ${VAULT_ADDR}/v1//data/ ``` For example: ```shell-session $ curl \ --request GET \ --header "X-Vault-Token: ${VAULT_TOKEN}" \ ${VAULT_ADDR}/v1/shared/data/dev/seeds | jq { "request_id": "c1202e8d-aff9-2d81-0929-4a558a193b4c", "lease_id": "", "renewable": false, "lease_duration": 0, "data": { "data": { "seed1": "g0bc0b6W3ii^SXa@*ie5" }, "metadata": { "created_time": "2024-11-15T23:33:08.549750507Z", "custom_metadata": null, "deletion_time": "", "destroyed": false, "version": 1 } }, "wrap_info": null, "warnings": null, "auth": null, "mount_type": "kv" } ```