The current default for vaults is the standard vault.
The standard vault is a vault that can be acced by anyone that have access to the kra key and accessible by the framework directly.
The "standard vault" is therefore not a good default as any admin can access it.
User's must take an actual explicit step to choose such a vault and they must be prominently warned that IPA administrator can access secrets stored in such a vault at any time.
The default vault should probably be the "symmetric vault".
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1257072
master:
ipa-4-2:
Metadata Update from @simo: - Issue assigned to pvoborni - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.