What is Vault used for?

Vault is used for centralized secrets management, dynamic secret generation, data encryption, and identity-based access control across applications, systems, and cloud environments. It secures sensitive data like API keys, passwords, and certificates.

Is HashiCorp Vault open source?

Yes, HashiCorp Vault offers a Community Edition that is open-source and can be self-managed. HashiCorp also provides commercial offerings like Vault Enterprise and a managed service called HCP Vault.

How does Vault handle secret rotation?

Vault can automatically rotate dynamic secrets by generating new credentials for databases and other services on a defined schedule or upon lease expiration. For static secrets, it supports manual rotation or integration with external systems for automated updates.

What is the difference between Vault and a key management system (KMS)?

While both manage cryptographic material, a KMS primarily focuses on the lifecycle of encryption keys. Vault, in addition to managing encryption keys, also handles the broader lifecycle of all types of secrets, including passwords, API keys, and certificates, and provides advanced access control and audit capabilities for them.

Can Vault be deployed in a high-availability configuration?

Yes, Vault supports high-availability deployments to ensure continuous operation. This typically involves running multiple Vault instances and using a shared storage backend that supports HA, like Consul or cloud-managed databases.

What authentication methods does Vault support?

Vault supports numerous authentication methods, including AWS IAM, Azure Active Directory, GCP, Kubernetes, LDAP, GitHub, userpass, and OIDC, allowing integration with existing identity providers.

What is a 'secret engine' in Vault?

A secret engine in Vault is a component that stores, generates, or encrypts secrets. Examples include the KV (Key-Value) secret engine for static secrets, the Database secret engine for dynamic database credentials, and the Transit secret engine for encryption as a service.

Vault — Centralized Secrets Management and Access Control

Overview

Vault, developed by HashiCorp, is a secrets management solution designed to address the challenges of securing sensitive data in modern IT environments. It provides a centralized system for storing, managing, and controlling access to various types of secrets, including API keys, passwords, certificates, and encryption keys What is Vault?. Vault aims to reduce the risk of secret exposure by offering features such as dynamic secret generation, data encryption, and robust access control policies.

Vault operates on the principle of identity-based security, where access to secrets is granted based on trusted identities rather than static credentials embedded in configuration files or code. This approach integrates with existing authentication systems like Kubernetes, AWS IAM, Azure Active Directory, and GitHub, allowing Vault to verify the identity of a requesting application or user before dispensing a secret Vault Authentication Methods. This helps ensure that secrets are only accessible to authorized entities, minimizing the attack surface.

A key capability of Vault is its ability to generate dynamic secrets on demand. Instead of providing long-lived, static credentials, Vault can create temporary secrets for databases, cloud providers, and other services. These dynamic secrets have a limited lifespan and are automatically revoked after use or expiration, reducing the window of opportunity for attackers to exploit compromised credentials Vault Dynamic Secrets. This functionality is particularly beneficial in ephemeral environments and microservice architectures.

Vault is suitable for organizations that require stringent security controls over their sensitive data, especially those operating in multi-cloud or hybrid environments. Its features support use cases ranging from securing application secrets to managing cryptographic keys for data encryption. The platform's extensibility through its API and plugin architecture allows it to integrate with a wide array of systems and workflows Vault API Reference. While the self-managed Community Edition offers a free starting point, complex deployments, high availability, and advanced features often necessitate the Enterprise version or the managed HashiCorp Cloud Platform (HCP) Vault.

The complexity of Vault's setup and ongoing management, particularly for high-availability configurations, can be a consideration for smaller teams. However, its comprehensive feature set for secrets management, audit logging, and policy enforcement makes it a tool for organizations prioritizing security and compliance. For instance, the ability to store secrets in encrypted storage backends and provide detailed audit trails contributes to meeting compliance requirements such as PCI DSS and HIPAA Vault Compliance.

Key features

Secrets Management: Securely stores and manages various types of secrets, including API keys, passwords, certificates, and arbitrary key-value pairs Vault Secrets Engines.
Dynamic Secrets: Generates on-demand, temporary credentials for databases, cloud providers, and other services, with automatic revocation.
Data Encryption: Provides encryption as a service, allowing applications to encrypt data without direct access to encryption keys Vault Transit Secrets Engine.
Identity-Based Access: Integrates with existing identity providers (e.g., Kubernetes, AWS IAM, LDAP, GitHub) to authenticate users and machines Vault Authentication Methods.
Access Control Policies: Enforces granular access policies to control which identities can access specific secrets or perform certain operations.
Audit Logging: Maintains detailed audit trails of all requests to Vault, including successful and failed attempts to access secrets Vault Audit Devices.
Secret Leasing and Renewal: Manages the lifecycle of secrets, allowing for automatic renewal or revocation based on defined leases.
Multi-Cloud and Hybrid Support: Designed to operate across diverse infrastructures, including on-premises, private cloud, and public cloud environments.
High Availability: Supports deployment configurations for high availability and disaster recovery to ensure continuous operation.

Pricing

Vault offers a free self-managed Community Edition and paid options through HashiCorp Cloud Platform (HCP) Vault and Vault Enterprise.

Product/Tier	Description	Starting Price (As of 2026-05-09)
Vault Community Edition	Self-managed, open-source version. Includes core secrets management features.	Free
HCP Vault Standard	Managed service on HashiCorp Cloud Platform. Includes core features, managed infrastructure, and support.	$0.34/hour for 1 Vault cluster, plus storage and data transfer HCP Vault Pricing
Vault Enterprise	Self-managed enterprise version with advanced features like performance replication, multi-datacenter capabilities, and enhanced governance.	Contact sales for pricing Vault Enterprise Pricing

Common integrations

Kubernetes: Integrates with Kubernetes to provide secrets to pods and authenticate workloads Vault and Kubernetes Integration.
AWS IAM: Authenticates users and roles via AWS IAM credentials and generates dynamic AWS access keys Vault AWS Auth Method.
Azure Active Directory: Enables authentication using Azure AD identities Vault Azure Auth Method.
Databases (MySQL, PostgreSQL, MongoDB): Generates dynamic database credentials for applications Vault Database Secrets Engine.
Cloudflare: Issues and manages Cloudflare API tokens and certificates Vault Cloudflare Secrets Engine.
Consul: Often used in conjunction with Consul for service discovery and configuration Vault and Consul Integration.
Terraform: Used by Terraform to retrieve secrets needed for infrastructure provisioning Terraform Vault Provider.

Alternatives

AWS Secrets Manager: A fully managed service for securely storing and retrieving secrets in AWS environments, offering automatic rotation and integration with other AWS services.
Azure Key Vault: A cloud service for securely storing and managing cryptographic keys, secrets, and SSL/TLS certificates for Azure resources and applications.
GCP Secret Manager: A managed service on Google Cloud Platform for storing API keys, passwords, certificates, and other sensitive data, with built-in versioning and access control.
CyberArk Conjur: An open-source secrets management service focused on securing secrets for DevOps pipelines and applications CyberArk Conjur.
Akeyless Vault: A SaaS-based secrets management platform that provides secrets lifecycle management, privileged access management, and data encryption.

Getting started

This example demonstrates how to start a local Vault dev server, authenticate with a root token, and store/retrieve a secret using the cURL command-line tool. Ensure you have Vault installed and available in your PATH.

# 1. Start a Vault dev server in a new terminal
vault server -dev -dev-listen-address="127.0.0.1:8200"

# The output will provide a Root Token and Unseal Key. Keep them secure.
# Example output:
# Root Token: s.YOUR_ROOT_TOKEN_HERE
# Unseal Key: YOUR_UNSEAL_KEY_HERE

# 2. In a new terminal, set the VAULT_ADDR environment variable
export VAULT_ADDR='http://127.0.0.1:8200'

# 3. Authenticate to Vault using the root token obtained in step 1
# Replace 's.YOUR_ROOT_TOKEN_HERE' with your actual root token
curl -s --request POST \
    --data '{"token": "s.YOUR_ROOT_TOKEN_HERE"}' \
    $VAULT_ADDR/v1/auth/token/login | jq .data.client_token

# The output will be your client token. Set it as an environment variable.
# Example output: "s.CLIENT_TOKEN_GENERATED"
# export VAULT_TOKEN="s.CLIENT_TOKEN_GENERATED"

# For simplicity in this dev setup, we'll use the initial root token directly
# For production, always use generated client tokens with specific policies.
export VAULT_TOKEN="s.YOUR_ROOT_TOKEN_HERE"

# 4. Enable the KV (Key-Value) secrets engine at path 'secret'
curl -s --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"type": "kv"}' \
    $VAULT_ADDR/v1/sys/mounts/secret

# 5. Write a secret to the path 'secret/my-app/config'
curl -s --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data '{"data": {"api_key": "supersecretkey123", "db_user": "app_user"}}' \
    $VAULT_ADDR/v1/secret/data/my-app/config

# 6. Read the secret from 'secret/my-app/config'
curl -s --header "X-Vault-Token: $VAULT_TOKEN" \
    --request GET \
    $VAULT_ADDR/v1/secret/data/my-app/config | jq .data.data

# Expected output:
# {
#   "api_key": "supersecretkey123",
#   "db_user": "app_user"
# }

Vault