Add Hashicorp Vault docs

content/en/docs/attestation/resources/_index.md

@@ -72,4 +72,5 @@ kubectl create secret generic kbsres1 --from-literal key1=res1val1 --from-litera
 ## Advanced configurations
 
 There are additional plugins and additional backends for the resource plugin.
-For example, Trustee can integrate with Azure Key Vault or PKCS11 HSMs.
+For example, Trustee can integrate with [Azure Key Vault](kbs-backed-by-akv),
+[HashiCorp Vault / OpenBao KV](kbs-backed-by-vault-kv), or PKCS11 HSMs.

content/en/docs/attestation/resources/resource-backends.md

@@ -68,4 +68,17 @@ The Pkcs11 backend is configured with the following values.
 	       No `slot_index` is set, the first slot will be used.
 * `pin` The user password for authenticating a session with the above slot.
 
+### HashiCorp Vault / OpenBao KV
+
+The KBS can use [HashiCorp Vault](https://developer.hashicorp.com/vault) or [OpenBao](https://www.openbao.org/)
+KV v1 as a resource backend, storing and retrieving secrets from a Vault or OpenBao instance.
+Build the KBS with the `vault` feature (e.g. `cargo build --features vault`).
+In the KBS config, add a resource plugin of type `Vault` with `vault_url`, `token`, and optionally
+`mount_path`, `verify_ssl`, and `ca_certs`.
+Resource URIs map to Vault paths as `{repository_name}/{resource_type}/{resource_tag}`; the secret
+value is stored under the key `data`.
+Only token authentication and KV v1 are supported.
+For setup, policy examples, and TLS options, see the
+[Vault KV backend documentation](https://github.com/confidential-containers/trustee/blob/main/kbs/docs/vault_kv.md)
+in the Trustee repo.