Vault
By HashiCorp
Vault is HashiCorp's secrets management tool for securely storing, accessing, and rotating sensitive data such as API tokens, database credentials, and TLS certificates, with fine-grained access policies and full audit logging.
Definition
Vault is HashiCorp's secrets management tool for securely storing, accessing, and rotating sensitive data such as API tokens, database credentials, and TLS certificates, with fine-grained access policies and full audit logging.
Overview
Rather than storing secrets in configuration files, environment variables, or source control — all common sources of security incidents — Vault centralizes secret storage behind an API, encrypting everything at rest and enforcing access through identity-based policies. Applications and users authenticate to Vault (via methods like tokens, Kubernetes service accounts, or cloud IAM roles on AWS) and are granted narrowly scoped permissions to read only the specific secrets their policy allows. One of Vault's more distinctive capabilities is dynamic secrets: instead of storing a long-lived database password, Vault can generate short-lived, unique credentials on demand for a database or cloud provider, automatically revoking them after a set time-to-live. This significantly reduces the blast radius if a credential leaks, since it's both narrowly scoped and short-lived rather than a permanent shared secret. Vault also handles encryption as a service (letting applications encrypt/decrypt data without managing their own key infrastructure), PKI certificate issuance, and secret leasing and renewal, and is commonly deployed alongside Terraform for provisioning and integrated into CI/CD pipelines so that credentials never need to be hard-coded. It fits naturally into broader security and compliance work covered in courses like Cloud Security Fundamentals.
Key Features
- Centralized, encrypted storage for secrets, tokens, and certificates
- Fine-grained, identity-based access policies for who can read which secrets
- Dynamic secrets that generate short-lived, auto-revoked credentials on demand
- Encryption-as-a-service for applications that need to encrypt data without managing keys
- Built-in PKI engine for issuing and managing TLS certificates
- Multiple authentication methods including Kubernetes, cloud IAM, and tokens
- Full audit logging of every secret access request
- Secret leasing, renewal, and automatic revocation