Overview
HashiCorp Vault is a security tool that centralizes the management of secrets and protects sensitive data. It addresses the challenge of securely distributing credentials across modern, distributed infrastructure, particularly in multi-cloud and hybrid environments. Vault provides a consistent workflow for managing secrets, which can range from API keys and database credentials to X.509 certificates and SSH keys. Its architecture is designed to handle dynamic secret generation, ensuring that applications and services receive short-lived, purpose-specific credentials rather than long-lived, static ones.
Vault is suitable for organizations that require fine-grained access control over sensitive data, especially in automated and microservices-based architectures. It supports various authentication methods, enabling both human users and machines to authenticate against Vault using their existing identity providers or infrastructure. Once authenticated, Vault enforces policies to determine what secrets a user or machine can access, and under what conditions. This policy-based access control is a core component of its security model.
The platform offers features such as data encryption in transit and at rest, audit logging, and secret revocation, which are critical for maintaining a strong security posture. Vault's ability to generate dynamic secrets for databases, cloud providers, and other services reduces the risk associated with compromised credentials because these secrets are ephemeral and automatically rotated. For instance, Vault can issue a unique database credential for an application that expires after a set period, limiting the exposure window if that credential were to be compromised. This contrasts with traditional methods where static credentials might be hard-coded or stored in less secure locations.
Vault is deployed as a server and accessed via its API, CLI, or UI. Its pluggable architecture allows for integration with a wide array of systems for authentication, secret storage, and audit logging. For example, it can authenticate users via OpenID Connect (OIDC) with Keycloak, or store secrets in various backends like cloud storage or encrypted filesystems. The open-source version provides core secret management capabilities, while Vault Enterprise offers advanced features like multi-datacenter replication, performance standbys, and governance controls, catering to larger organizations with complex security requirements.
Key features
- Secure Secret Storage: Encrypts and stores any secret, such as API keys, passwords, and certificates, in an encrypted data store.
- Dynamic Secrets: Generates on-demand secrets for databases, cloud platforms, and other services, which are automatically revoked after use or a specified time (HashiCorp Vault dynamic secrets).
- Data Encryption as a Service: Provides encryption and decryption functions for application data without storing the data itself, enabling secure multi-tenant applications.
- Leasing and Renewal: All secrets obtained from Vault have a lease, after which they are automatically revoked. Leases can be renewed to extend secret validity.
- Audit Logging: Records all requests and responses to Vault, providing a comprehensive audit trail for compliance and security monitoring.
- Authentication Methods: Supports various authentication methods including Kubernetes, AWS IAM, GitHub, LDAP, and username/password (Vault authentication methods).
- Authorization (Access Control Policies): Uses fine-grained, path-based policies to control which users or machines can access specific secrets or perform certain operations.
- Secret Revocation: Allows for immediate revocation of individual secrets, entire secret trees, or all secrets generated by a specific user or application.
Pricing
HashiCorp Vault offers an open-source version, a managed cloud service, and an enterprise edition. Pricing for the managed cloud service is usage-based, while enterprise pricing is custom and depends on specific organizational needs.
| Tier | Description | Pricing Model | As-of Date |
|---|---|---|---|
| Vault Open Source | Core secret management capabilities for self-hosted deployments. | Free | 2026-05-28 |
| Vault Cloud Development tier | Managed service for development and testing environments. | Starts at $0.03/hour plus secrets storage. | 2026-05-28 |
| Vault Cloud Production tier | Managed service for production workloads with higher SLAs. | Custom pricing based on usage and features. | 2026-05-28 |
| Vault Enterprise | Self-managed solution with advanced features for large organizations. | Custom pricing. | 2026-05-28 |
For detailed and up-to-date pricing information, refer to the HashiCorp Vault pricing page.
Common integrations
- Kubernetes: Inject secrets into Kubernetes pods, manage service account tokens, and provide dynamic credentials for applications running in containers (Vault and Kubernetes integration).
- AWS: Generate dynamic IAM credentials, S3 bucket policies, and RDS database credentials.
- Azure: Manage secrets for Azure Key Vault, generate dynamic credentials for Azure resources.
- GCP: Provide dynamic service account keys and manage secrets for Google Cloud services.
- Databases (MySQL, PostgreSQL, MongoDB, etc.): Generate dynamic database user credentials with specific permissions and lifetimes (Vault database secrets engine).
- Consul: Integrate for service discovery and configuration, often deployed alongside Vault.
- Identity Providers: Authenticate users and machines via LDAP, GitHub, OIDC, and various cloud identity services.
Alternatives
- CyberArk Conjur: An enterprise-grade solution for machine identity and secret management, focusing on DevOps and cloud environments.
- AWS Secrets Manager: A cloud-native service for managing secrets used in AWS applications, offering automatic rotation and integration with other AWS services.
- Azure Key Vault: A cloud service for securely storing and accessing secrets, keys, and certificates within the Azure ecosystem.
Getting started
To begin using HashiCorp Vault, you typically start by initializing and unsealing a Vault server, then authenticating and interacting with it via the CLI or API. The following example demonstrates how to set a secret using the Vault CLI after it has been initialized and unsealed.
# Start a Vault dev server for quick testing (do not use in production)
vault server -dev -dev-listen-address="127.0.0.1:8200"
# Export the Vault address
export VAULT_ADDR='http://127.0.0.1:8200'
# Log in to the dev server (token is printed when dev server starts)
# Replace <dev_root_token> with the actual token from your console
vault login <dev_root_token>
# Enable the KV (Key-Value) secrets engine at path 'secret'
vault secrets enable kv
# Write a secret to the path 'secret/myapp/config'
vault kv put secret/myapp/config username=admin password=supersecret
# Read the secret from the path 'secret/myapp/config'
vault kv get secret/myapp/config
This sequence illustrates the basic workflow: starting a server, authenticating, and then performing secret read/write operations. For production deployments, the process involves more robust setup, including storage backends, high availability, and proper unsealing mechanisms (Vault seal and unseal process).