Implementing Multi-Admin Secure Secret Access with Envelope Encryption

The Challenge of Multi-Admin Secret Management

Managing sensitive secrets like database passwords or API keys in a growing team presents significant security and operational hurdles. Traditional methods, such as sharing a single password or storing it in a basic vault, lead to issues like lack of auditability, difficult revocation of access, and a high operational burden when a secret needs to be rotated or an admin leaves the team. A robust system requires multiple administrators to access a shared secret using their *individual* credentials, with no plaintext exposure of the master secret and efficient admin lifecycle management (adding/removing).

Envelope Encryption: A Two-Tier Key Hierarchy

Envelope encryption provides an elegant solution by introducing a two-tier key hierarchy. Instead of directly encrypting the master secret with individual admin passwords, a randomly generated data key is used. This data key encrypts the master secret once. Then, each administrator's derived key (from their unique password) encrypts a *copy* of this data key. This architecture ensures that the master secret is never directly exposed to admin passwords and facilitates independent management of admin access.

1. The Master Secret (e.g., keystore password) is encrypted by a Data Key.
2. The Data Key is a random symmetric key.
3. Each admin's individual password derives a unique AES key (using a strong KDF like Argon2id).
4. This derived AES key then encrypts a *copy* of the Data Key for that specific admin.

Accessing the Master Secret

1. An admin logs in with their password.
2. Their password, combined with a unique salt, is used to derive an AES key (via Argon2id).
3. This derived key decrypts the admin's stored, encrypted copy of the data key.
4. The decrypted data key then decrypts the master secret, which is loaded into memory for service use.