Vault (read-only secure credential store) is a repeatedly requested feature
for Keycloak. A document that covers the vault design proposal has been
created in  and is ready for review by community.
The vault proposed in that design is intentionally simple. It should cover
use cases for passwords and other credential types that are currently
stored in database in plain text. It does not and is not intended to cover
write operations into the vault - writes should be managed by the tooling
around the vault. Externalizing encryption / decryption of secrets is also
not covered by this proposal and can follow once vault would be in place.
Review comments are appreciated.