Frequently Asked Questions¶
Common Questions About MazeVault
Document Version: 1.0.0
Last Updated: 2026-02-10
General¶
What is MazeVault?¶
MazeVault is an enterprise secrets and certificate management platform designed for regulated industries such as banking, insurance, and government. It provides secure storage for secrets (passwords, API keys, tokens), a full-featured Certificate Authority (CA) with OCSP and CRL support, and an agent-based secrets distribution system.
What deployment options are available?¶
MazeVault supports two deployment models:
- Azure AKS — Managed Kubernetes on Microsoft Azure, recommended for organizations with existing Azure infrastructure
- On-premise — Docker Compose deployment on Rocky Linux or RHEL, with full air-gap (offline) support
See the Deployment Overview for details.
What are the license tiers?¶
| Feature | Business | Enterprise | Custom |
|---|---|---|---|
| Secrets management | ✅ | ✅ | ✅ |
| Certificate Authority | ✅ | ✅ | ✅ |
| Agents (max) | 50 | Unlimited | Unlimited |
| Multi-DC sync | — | ✅ | ✅ |
| SCEP support | — | ✅ | ✅ |
| Custom integrations | — | — | ✅ |
| SLA | 8×5 | 24×7 | Custom |
See Licensing for the complete feature matrix.
Security¶
How are secrets encrypted?¶
Secrets are encrypted using AES-256-GCM with a three-tier key hierarchy:
- Master Key — Derived from the master password; never stored
- Data Encryption Keys (DEKs) — Per-resource keys encrypted by the master key
- Per-secret encryption — Each secret version uses a unique DEK
The platform uses a zero-knowledge architecture: the server never has access to the plaintext master password.
Does MazeVault support multi-factor authentication?¶
Yes. MazeVault supports:
- TOTP — Time-based one-time passwords (RFC 6238), compatible with Google Authenticator, Authy, etc.
- FIDO2/WebAuthn — Hardware security keys (YubiKey, etc.)
- Recovery codes — One-time backup codes for emergency access
MFA can be enforced at the organizational level for all users.
What compliance standards does MazeVault support?¶
MazeVault implements controls aligned with:
- ISO/IEC 27001:2022 — Information security management
- SOC 2 Type II — Trust services criteria
- PCI DSS v4.0 — Payment card data protection
- NIS2 — EU critical infrastructure directive
- Czech Cybersecurity Act (ZoKB) — National requirements
- GDPR — Data protection regulation
See the Compliance Matrix for specific control mappings.
How does MazeVault handle audit logging?¶
Every significant operation (authentication, secret access, certificate issuance, configuration changes) is recorded in an immutable audit log. Logs include:
- Timestamp (UTC, nanosecond precision)
- Actor identity and source IP
- Operation type and target resource
- Result (success/failure) and error details
Logs can be exported to external SIEM systems via syslog (RFC 5424) or webhook integration.
Certificates¶
What certificate types can MazeVault issue?¶
MazeVault CA supports:
- Server certificates — TLS/SSL for web servers and services
- Client certificates — Mutual TLS authentication
- Code signing certificates — Software signing
- Intermediate CA certificates — Delegated CA hierarchy
Does MazeVault support ACME (Let's Encrypt)?¶
MazeVault operates as a private CA for internal certificate management. It does not issue publicly trusted certificates. For public TLS, continue using your existing public CA. MazeVault excels at managing internal PKI infrastructure where you control the trust chain.
How does certificate revocation work?¶
MazeVault supports two revocation mechanisms:
- CRL (Certificate Revocation List) — Published at a configurable interval; can be distributed to clients
- OCSP (Online Certificate Status Protocol) — Real-time certificate status checking via the built-in OCSP Responder
Both mechanisms update immediately when a certificate is revoked.
Can I import existing certificates?¶
Yes. MazeVault supports importing:
- PEM-encoded certificates with optional private key
- PKCS#12 / PFX bundles
- Full certificate chains (leaf + intermediates + root)
Imported certificates are tracked for expiration monitoring alongside CA-issued certificates.
Agents¶
What is a MazeVault Agent?¶
The MazeVault Agent is a lightweight process that runs on target servers and synchronizes secrets from the central MazeVault platform. It provides:
- Automatic secret rotation without application restarts
- Local caching for high availability
- Encrypted communication with mutual TLS
- File-based secret delivery for application consumption
What platforms does the agent support?¶
The agent runs on:
- Linux — x86_64 and ARM64 (Ubuntu, RHEL, Rocky, Debian, Alpine)
- Windows — x86_64 (Windows Server 2019+)
- Containers — Available as a sidecar container for Kubernetes deployments
How does agent authentication work?¶
Agent authentication uses a two-step process:
- Bootstrap — Initial registration with a one-time bootstrap token
- Mutual TLS — After registration, the agent receives a client certificate for ongoing authentication
Bootstrap tokens are time-limited and usage-limited (single-use by default).
Deployment & Operations¶
What are the minimum hardware requirements?¶
| Component | Minimum | Recommended |
|---|---|---|
| CPU | 4 cores | 8 cores |
| RAM | 8 GB | 16 GB |
| Storage | 50 GB SSD | 100 GB NVMe SSD |
| Network | 100 Mbps | 1 Gbps |
See Requirements for detailed specifications.
Can MazeVault run in an air-gapped environment?¶
Yes. The on-premise deployment supports fully air-gapped (offline) installations:
- Docker images are delivered as an offline package
- No external network access required during operation
- CRL distribution works locally without internet access
What is the backup strategy?¶
MazeVault supports multiple backup approaches:
- Database backups — PostgreSQL continuous archiving and point-in-time recovery
- Key material backups — Encrypted key exports for disaster recovery
- Azure Backup — Native integration for AKS deployments
Recommended: Daily automated backups with a 30-day retention period. See Backup & Restore for procedures.
What is the recommended upgrade process?¶
- Create a full backup (database + configuration)
- Review the release notes for breaking changes
- Pull new container images
- Apply database migrations (automatic on startup)
- Restart services
- Verify health endpoints
Rolling upgrades with zero downtime are supported on AKS deployments using Helm. See Maintenance for detailed upgrade checklists.
API¶
What authentication methods does the API support?¶
The API supports two authentication methods:
- Session-based — Cookie authentication after SRP login (for web UI)
- API Key —
X-API-Keyheader authentication (for programmatic access)
Are there rate limits?¶
Yes:
| Endpoint Type | Limit |
|---|---|
| Authentication | 5 requests/minute |
| Standard API | 100 requests/minute |
| Bulk operations | 20 requests/minute |
| Health checks | 300 requests/minute |
Rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset) are included in every response.
Is there an SDK or client library?¶
Currently, MazeVault provides a RESTful API with comprehensive OpenAPI documentation. Client libraries are on the roadmap. The API uses standard REST conventions, making it straightforward to integrate with any HTTP client.
Related¶
- Troubleshooting — Error resolution guide
- Quick Start Guide — Getting started
- API Getting Started — API integration guide