Comprehensive password policy management for HashiCorp Vault system backend.

This module provides enterprise-grade password policy management capabilities for Vault, enabling fine-grained control over password generation requirements for secrets engines that support password policies. Password policies define rules for generating secure passwords with specific character sets, lengths, and complexity requirements.

Password Policy Features

Policy Definition

• HCL-based policy syntax for password generation rules
• Character set specifications (uppercase, lowercase, digits, symbols)
• Length requirements and constraints
• Rule-based password complexity validation
• Custom character exclusion and inclusion rules

Policy Management

• Create and update password policies
• Read existing policy configurations
• List all configured password policies
• Delete unused password policies
• Generate test passwords from policies

Integration Support

• Compatible with secrets engines that support password policies
• Automatic policy validation before saving
• Performance optimization for password generation
• Enterprise-grade security and compliance features

API Compliance

Fully implements HashiCorp Vault Password Policies API:

• Password Policies API
• Password Policy Concepts
• Password Policy Syntax

Usage Examples

# Create a password policy
policy = ~s(
  length = 20
  rule "charset" {
    charset = "abcdefghijklmnopqrstuvwxyz"
    min-chars = 1
  }
  rule "charset" {
    charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    min-chars = 1
  }
  rule "charset" {
    charset = "0123456789"
    min-chars = 1
  }
)
:ok = Vaultx.Sys.Policies.Password.write("strong-policy", policy)

# List all password policies
{:ok, policies} = Vaultx.Sys.Policies.Password.list()
policies #=> ["strong-policy", "basic-policy"]

# Read a specific policy
{:ok, policy_info} = Vaultx.Sys.Policies.Password.read("strong-policy")
policy_info.policy #=> "length = 20\nrule "charset" { ... }"

# Generate a password from a policy
{:ok, password} = Vaultx.Sys.Policies.Password.generate("strong-policy")
password #=> "Kj8mN2pQ9rT5vW3xY7zA"

# Delete a policy
:ok = Vaultx.Sys.Policies.Password.delete("old-policy")

Password Policy Syntax Examples

Basic Length Policy

length = 16

Character Set Rules

length = 20
rule "charset" {
  charset = "abcdefghijklmnopqrstuvwxyz"
  min-chars = 3
}
rule "charset" {
  charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  min-chars = 2
}
rule "charset" {
  charset = "0123456789"
  min-chars = 2
}
rule "charset" {
  charset = "!@#$%^&*"
  min-chars = 1
}

Advanced Rules with Exclusions

length = 24
rule "charset" {
  charset = "abcdefghijklmnopqrstuvwxyz"
  min-chars = 5
}
rule "charset" {
  charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZ"
  min-chars = 5
}
rule "charset" {
  charset = "0123456789"
  min-chars = 3
}
rule "charset" {
  charset = "!@#$%^&*()-_=+[]{}|;:,.<>?"
  min-chars = 2
}

Security Considerations

• Password policies are validated before being saved
• Vault tests policy generation performance during creation
• Overly restrictive policies may cause performance issues
• Use reasonable character set sizes and length requirements
• Test policies thoroughly before production deployment
• Monitor password generation performance in production

Compatibility

Password policies are supported by the following secrets engines:

• Active Directory secrets engine
• LDAP secrets engine
• Database secrets engine (some plugins)
• Custom secrets engines with password policy support