A Variable stores a versioned, encrypted value.
Each addition of a new value increments the version number. The most recent version is fetched by default, but all versions are available.
A role must hold specific permissions on the variable in order to be able to perform actions on it.
- read the role can show the variable's attributes
- update the role can add a value
- execute the role can fetch (display) a secret value
Variable values are encrypted with AES-256-GCM and stored securely in the following manner:
- The Conjur service which stores Variables is configured with a unique 256-bit master key.
- Each Variable value is encrypted with a unique encryption key.
- The unique key is encrypted with the master key.
- The encrypted unique key and the encrypted value are stored in a database.