Vault
Security Plane
Secrets
HashiCorp Vault is an identity-based secrets management and data protection platform that centralizes access control over sensitive credentials, encryption keys, and certificates, helping organizations eliminate secret sprawl and enforce consistent security policies.
Vault

Secrets

Security Plane

HashiCorp Vault is an identity-based secrets management and data protection platform that centralizes access control over sensitive credentials, encryption keys, and certificates, helping organizations eliminate secret sprawl and enforce consistent security policies.

What is Vault?

HashiCorp Vault is an identity-based secrets management and data protection platform that provides centralized access control over sensitive credentials, encryption keys, and certificates.

Profile

HashiCorp Vault is an identity-based secrets management and data protection platform that provides centralized access control over sensitive credentials, encryption keys, and certificates. The platform has evolved from its origins as an open-source project into an enterprise-grade solution adopted by major organizations across industries. Vault's core value proposition lies in its ability to eliminate secret sprawl through dynamic credential generation, automated lifecycle management, and comprehensive audit capabilities while providing a unified interface for accessing and securing sensitive data across distributed systems.

Focus

Vault addresses the fundamental challenge of securely managing sensitive credentials in modern distributed architectures. The platform eliminates the security risks of static credentials and scattered secrets by providing centralized policy enforcement, dynamic secret generation, and automated credential lifecycle management. It serves platform engineers, security teams, and application developers who need to implement secure access control and audit capabilities across cloud-native environments. Key benefits include reduced attack surface through time-bound credentials, simplified compliance through comprehensive audit logging, and consistent security policy enforcement across diverse infrastructure.

Background

HashiCorp developed Vault to solve secrets management challenges in modern infrastructure, launching it as an open-source project under the Mozilla Public License. The tool gained widespread adoption among organizations building cloud-native infrastructure, becoming a critical component in enterprise security architectures. Following HashiCorp's transition to the Business Source License and subsequent acquisition by IBM, Vault continues active development with regular feature enhancements and security updates, now operating as part of IBM's hybrid cloud portfolio while maintaining its distinct development and governance model.

Main features

Dynamic secrets generation and lifecycle management

The dynamic secrets engine automatically generates short-lived credentials on demand for various systems including cloud platforms, databases, and PKI infrastructure. Rather than storing static credentials, Vault creates unique, time-bound credentials when applications request access, then automatically revokes them when the lease expires. This architecture eliminates the risk of credential theft and simplifies access management through automated lifecycle control. The system supports multiple backend types, each providing specialized credential generation appropriate to the target system, while maintaining consistent policy enforcement and audit logging across all credential types.

Identity-based access control and authentication

Vault implements a sophisticated identity-based security model that separates authentication from authorization through a flexible policy framework. The system supports multiple authentication methods including cloud provider IAM, Kubernetes service accounts, certificates, and traditional username/password combinations. Once authenticated, identities are mapped to policies that define precise access permissions using HashiCorp Configuration Language (HCL). This architecture enables fine-grained access control while supporting enterprise authentication requirements through integration with existing identity providers and multi-factor authentication systems.

Encryption as a service with centralized key management

The platform provides encryption as a service capabilities through its transit secrets engine, enabling applications to perform cryptographic operations without managing encryption keys directly. This feature supports multiple encryption algorithms and key types while ensuring keys never leave Vault's security boundary. Applications can encrypt sensitive data before storage while Vault handles key rotation, versioning, and access control. The architecture includes support for automated key rotation and secure key storage with optional HSM integration, enabling organizations to implement consistent encryption practices across their application portfolio.