Overview

HashiCorp Vault is a secrets management solution designed to secure, store, and tightly control access to tokens, passwords, certificates, API keys, and other sensitive data in dynamic, multi-cloud environments. Introduced in 2015, Vault addresses the challenge of managing an increasing number of secrets required by applications, users, and infrastructure in modern distributed systems. It provides a unified interface to any secret, while also offering robust encryption-as-a-service capabilities.

Vault operates by centralizing secrets management, allowing organizations to reduce the sprawl of secrets across various systems. It supports a wide range of secret engines, which are components that store, generate, or encrypt secrets. Examples include key-value stores for arbitrary secrets, dynamic generation of database credentials, and creation of on-demand API tokens for cloud providers. This dynamic secret generation capability means that secrets are created just-in-time and revoked automatically after use, minimizing their exposure time and reducing the risk of compromise.

Access to secrets within Vault is governed by an identity-based security model. Vault integrates with various authentication methods, such as enterprise directories (e.g., Active Directory, LDAP), cloud identity providers (e.g., AWS IAM, Azure Active Directory), and Kubernetes service accounts. Policies define what an authenticated entity can access, ensuring that only authorized applications or users can retrieve specific secrets or perform encryption operations. This approach helps enforce the principle of least privilege, a core tenet of robust security practices.

Vault is suitable for organizations operating complex infrastructure, including those leveraging microservices architectures, containers, and serverless functions across multiple cloud providers and on-premises data centers. It is used by developers to secure application secrets, by operations teams to manage infrastructure credentials, and by security teams to enforce compliance and audit access patterns. The open-source version provides core functionality for self-hosting, while HashiCorp Vault Enterprise offers advanced features like multi-datacenter replication, performance standbys, and advanced security controls for large-scale deployments and high-availability requirements.

The solution also provides data encryption capabilities, allowing applications to encrypt and decrypt data without needing direct access to encryption keys. This is achieved through Vault's transit secret engine, which acts as a data encryption service. Data sent to Vault for encryption is returned encrypted, and the keys themselves never leave Vault, enhancing data security for applications handling sensitive information at rest and in transit.

Key features

  • Secrets Management: Securely store, access, and manage static and dynamic secrets such as API keys, passwords, and certificates across diverse environments.
  • Dynamic Secrets: Generate on-demand secrets for databases, cloud platforms, and other services, which are automatically revoked after a specified time or use, reducing the attack surface.
  • Data Encryption as a Service: Encrypt and decrypt data in transit and at rest without exposing encryption keys to applications, using Vault's transit secret engine (HashiCorp Vault Transit Secrets Engine).
  • Identity-Based Access: Authenticate users and applications using various methods (e.g., Kubernetes, AWS IAM, LDAP, GitHub) and control access to secrets via fine-grained policies.
  • Audit Logging: Maintain a detailed, immutable audit trail of all operations performed against Vault, including secret access and policy changes, for compliance and security monitoring.
  • Secret Rotation: Automate the rotation of secrets to enhance security and reduce the risk associated with long-lived credentials.
  • High Availability & Disaster Recovery: Vault Enterprise supports multi-datacenter replication and performance standbys to ensure continuous operation and data redundancy (HashiCorp Vault Replication Concepts).
  • Leasing & Renewal: Secrets issued by Vault have associated leases, requiring periodic renewal or automatic revocation upon expiration, enforcing ephemeral access.

Pricing

HashiCorp Vault offers an open-source version and commercial editions with custom pricing.

Product Description Pricing Model (as of 2026-05-08)
Vault Open Source Core secrets management, dynamic secrets, data encryption, and identity-based access. Self-hosted. Free
Vault Enterprise Includes all open-source features plus advanced capabilities for large-scale deployments, such as multi-datacenter replication, performance standbys, advanced security controls, and premium support. Custom pricing (contact sales)
Vault Cloud Platform Managed service offering of Vault, providing a fully hosted and managed secrets management solution. Custom pricing (contact sales)

For detailed pricing and to obtain a quote for enterprise or cloud platform editions, refer to the HashiCorp Vault pricing page.

Common integrations

  • Cloud Providers: AWS, Azure, Google Cloud for dynamic secret generation (e.g., IAM credentials, database credentials) and identity authentication (Vault AWS Auth Method, Vault Azure Auth Method).
  • Databases: MySQL, PostgreSQL, MongoDB, Cassandra, Oracle for generating dynamic database credentials (Vault Database Secrets Engine).
  • Container Orchestration: Kubernetes for authenticating applications and injecting secrets into pods (Vault Kubernetes Auth Method).
  • Configuration Management: Ansible, Chef, Puppet, Terraform for fetching secrets during infrastructure provisioning and application deployment.
  • Identity Providers: LDAP, Active Directory, Okta, GitHub, GitLab for user and machine authentication (Vault LDAP Auth Method).
  • Message Queues: Kafka for dynamic credential generation.
  • Monitoring & Logging: Splunk, Prometheus, Grafana for auditing and operational insights.

Alternatives

  • AWS Secrets Manager: A fully managed service for storing and retrieving secrets, with integration into AWS services and automatic rotation capabilities (AWS Secrets Manager product page).
  • Azure Key Vault: A cloud service for securely storing and accessing secrets, keys, and certificates, primarily for Azure-based applications and services (Azure Key Vault product page).
  • CyberArk Conjur: An open-source secrets management solution focused on securing secrets for machines and applications, often deployed within enterprise environments (CyberArk Conjur product page).
  • Google Cloud Secret Manager: A fully managed service to store, access, and manage secrets for applications and services running on Google Cloud.
  • HashiCorp Boundary: While also a HashiCorp product, Boundary focuses on secure remote access to systems based on identity, complementing Vault's secrets management by securing the access path to the systems that use secrets.

Getting started

To get started with HashiCorp Vault, you can download and run the open-source version locally. The following example demonstrates how to initialize Vault, unseal it, and then store and retrieve a key-value secret using the command-line interface.

# 1. Start Vault in development mode (for local testing)
vault server -dev

# The output will provide an Unseal Key and Root Token. Keep these secure.
# Example output:
# VAULT_ADDR='http://127.0.0.1:8200'
# VAULT_TOKEN='hvs.YOUR_ROOT_TOKEN'

# 2. Set the VAULT_ADDR environment variable
export VAULT_ADDR='http://127.0.0.1:8200'

# 3. Log in to Vault using the root token from the dev server output
vault login hvs.YOUR_ROOT_TOKEN

# 4. Enable the KV secrets engine at path 'secret/' (if not already enabled)
vault secrets enable -path=secret kv-v2

# 5. Write a secret to the 'secret/applications/webapp' path
vault kv put secret/applications/webapp username=admin password=supersecret

# 6. Read the secret from the 'secret/applications/webapp' path
vault kv get secret/applications/webapp

# Expected output will show the secret data:
# === Data ===
# Key            Value
# ---            -----
# password       supersecret
# username       admin

This basic example illustrates the core workflow of storing and retrieving secrets. For production deployments, Vault requires careful configuration including storage backends, authentication methods, and policy management. Refer to the HashiCorp Vault documentation for comprehensive guides on advanced configurations and integrations.