Skip to content

Roadmap

The vault foundation is in place: envelope encryption and the key hierarchy, grants with independent read/write authorization, the consent ceremony, the cross-site consumer API (a remote site reads and writes a vault over OAuth), multi-tenancy (isolated vault realms with a per-tenant Master KEK), owner data export and dormant-vault cleanup with warn-before-purge, the audit-trail bridges, and operator health checks on the Status Report (Master KEK reachability, writable storage, a bounded cleanup backlog and rotation progress; #3593592). The items below are planned enhancements; progress is tracked in the roadmap meta, #3593605.

Master KEK in a secret store

The Master KEK can now live in OpenBao or HashiCorp Vault: the pdv_vault submodule wraps each Subject KEK with the store's Transit engine, so the root key never reaches Drupal (see Master KEK in OpenBao or Vault). Building on that, a future variant under the same module could instead fetch the Master KEK from the store's key-value engine, for sites that want a store-held key but a local wrap.

Per-kind discriminator

For non-unique kinds, an optional discriminator field (for example a year on a tax form) would let the vault distinguish instances and avoid duplicates per discriminator value.

Tenant resolution connectors

Multi-tenancy ships with pluggable tenant resolution and one resolver, ConsumerTenantResolver, which binds each call to its consumer's tenant. A domain-based connector (resolve the tenant from the request host) is still to come, for front-ends that are not consumer-driven. Tracked in #3593589.

Operational monitoring

The Status Report health surface above is in place. Building on it, an optional pdv_monitoring submodule would expose those signals, plus the seal and unseal failure rate, Master KEK rotation progress, and consumer flood, as monitoring module sensors for continuous checks and external alerting (#3593593).

Multi-value vault file element

Let the pdv_file webform element hold several files, lifting its current single-value lock once the picker, materialization, download, and save-back all handle one value per delta (#3593569).