BYOV is optional. DataRaven also provides built-in secret storage powered by AWS SSM Parameter Store SecureString, so you can store credentials securely without connecting an external vault.
Supported Vaults
1Password
Connect via Service Account token.
Doppler
Project-level access tokens.
Infisical
Machine identity authentication.
How It Works
- Connect your vault — Provide DataRaven with a scoped access token for your secrets manager
- Create secrets — Map DataRaven secret names to paths in your vault
- Reference in locations — When configuring a location, reference vault secrets instead of entering credentials directly
- Zero-knowledge resolution — At transfer time, DataRaven resolves the secret, uses it for the rclone operation, and discards it immediately
Setting Up a Vault Connection
Via Dashboard
- Go to Settings → Vault Connections
- Click Add Connection
- Select your vault provider
- Enter the required token/credentials
- Click Test to verify the connection
Security Model
- DataRaven never stores your cloud provider credentials
- Vault tokens are encrypted at rest and scoped to minimum required access
- Credentials are resolved in-memory at execution time and immediately discarded
- All vault operations are logged for audit purposes