README.md in trocla-0.3.0 vs README.md in trocla-0.4.0

- old
+ new

@@ -22,11 +22,11 @@
 a random password AND the plain text password in trocla. Later you can
 retrieve (by deleting) the plain password and send it to the user. Puppet
 will still simply retrieve the hashed password that is stored in trocla,
 while the plain password is not anymore stored on the server.
 
-Be default trocla uses moneta to store the passwords and can use any kind of
+By default trocla uses moneta to store the passwords and can use any kind of
 key/value based storage supported by moneta for trocla. By default it uses a
 simple yaml file.
 However, since version 0.2.0 trocla also supports a pluggable storage backend
 which allows you to write your custom backend. See more about stores below.
 
@@ -210,13 +210,30 @@
                       openssl versions have a bug with [leading dots](https://rt.openssl.org/Ticket/Display.html?id=3562) for name
                       constraints. So using them might not work everywhere as expected.
 
 Output render options are:
 
-    certonly If set to true the x509 format will return only the certificate
-    keyonly  If set to true the x509 format will return only the private key
+    certonly       If set to true the x509 format will return only the certificate
+    keyonly        If set to true the x509 format will return only the private key
+    publickeyonly  If set to true the x509 format will return only the public key
 
+### sshkey
+
+This format generate a ssh keypair
+
+Additional options are:
+
+    type        The ssh key type (rsa, dsa). Default: rsa
+    bits        Specifies the number of bits in the key to create. Default: 2048
+    comment     Specifies a comment.
+    passphrase  Specifies a passphrase.
+
+Output render options are:
+
+    pubonly     If set to true the sshkey format will return only the ssh public key
+    privonly    If set to true the sshkey format will return only the ssh private key
+
 ## Installation
 
 * Debian has trocla within its sid-release: `apt-get install trocla`
 * For RHEL/CentOS 7 there is a [copr reporisotry](https://copr.fedoraproject.org/coprs/duritong/trocla/). Follow the help there to integrate the repository and install trocla.
 * Trocla is also distributed as gem: `gem install trocla`
@@ -254,10 +271,11 @@
 Trocla has a pluggable storage backend, which allows you to choose the way that values are stored (persistently).
 Such a store is a simple class that implements Trocla::Store and at the moment there are the following store implementations:
 
 * Moneta - the default store using [moneta](https://rubygems.org/gems/moneta) to delegate storing the values
 * Memory - simple inmemory backend. Mainly used for testing.
+* Vault - modern secrets storage by HashiCorp, require the ruby gem [vault](https://github.com/hashicorp/vault-ruby)
 
 The backend is chosen based on the `store` configuration option. If it is a symbol, we expect it to be a store that we ship with trocla. Otherwise, we assume it to be a fully qualified ruby class name, that inherits from Trocla::Store. If trocla should load an additional library to be able to find your custom store class, you can set `store_require` to whatever should be passed to a ruby require statement.
 
 Store backends can be configured through the `store_options` configuration.
 
@@ -295,9 +313,34 @@
     :database: 'trocladb'
     :table: 'trocla'
 ```
 
 These examples are by no way complete, moneta has much more to offer. Please have a look at [moneta's documentation](https://github.com/minad/moneta/blob/master/README.md) for further information.
+
+#### Vault backend
+
+[Vault](https://www.vaultproject.io/) is a modern secret storage supported by HashiCorp, which works with a REST API. You can create multiple storage engine.
+
+To use vault with trocla you need to create a kv (key/value) storage engine on the vault side. Trocla can use [v1](https://www.vaultproject.io/docs/secrets/kv/kv-v1) and [v2](https://www.vaultproject.io/docs/secrets/kv/kv-v2) API endpoints, but it's recommended to use the v2 (native hash object, history, acl...).
+
+You need to install the `vault` gem to be able to use the vault backend, which is not included in the default dependencies for trocla.
+
+With vault storage, the terminology changes:
+* `mount`, this is the name of your kv engine
+* `key`, this is the biggest change. As usual with trocla, the key is a simple string. With the vault kv engine, the key map to a path, so you can have a key like `my/path/key` for structured your data
+* `secret`, is the data content of your key. This is a simple hash with key (format) and value (the secret content of your format)
+
+The trocla mapping works the same way as with a moneta or file backend.
+
+The `store_options` are a dynamic argument for initializer [Vault::Client](https://github.com/hashicorp/vault-ruby/blob/master/lib/vault/client.rb) class (except `:mount`, used to defined the kv name). You can define only one kv mount.
+
+```YAML
+store: :vault
+store_options:
+  :mount: kv
+  :token: s.Tok3n
+  :address: https://vault.local
+```
 
 ### Backend encryption
 
 By default trocla does not encrypt anything it stores. You might want to let Trocla encrypt all your passwords, at the moment the only supported way is SSL.
 Given that often trocla's store is on the same system at it's being used, there might be little sense to encrypt everything while the encryption keys are on the same system. However, if you are for example using an existing DB cluster using backend encryption you won't store any plaintext passwords within the database system.