Favicon of vault

vault

Secrets management tool providing secure storage, dynamic secret generation, encryption as a service, and detailed audit logging.

Vault is a tool for securely accessing secrets: API keys, passwords, certificates, and anything else you want to tightly control access to. It provides a unified interface to any secret while enforcing access control and recording a detailed audit log, aimed at teams running modern, service-oriented systems where understanding who has access to what secret is otherwise difficult and platform-specific.

Key features

  • Secure secret storage: Vault stores arbitrary key/value pairs, encrypting data before writing it to persistent storage, so access to the raw storage backend alone isn't enough to read secrets. It can write to disk, Consul, and other backends.
  • Dynamic secrets: For systems like AWS or SQL databases, Vault can generate credentials on demand. When an application needs access to an S3 bucket, for example, Vault generates a scoped AWS keypair and automatically revokes it once its lease expires.
  • Data encryption as a service: Vault can encrypt and decrypt data without storing it, letting security teams define encryption parameters centrally while developers store encrypted data wherever they need to, without designing their own encryption scheme.
  • Leasing and renewal: Every secret is issued with a lease. Vault automatically revokes secrets at the end of their lease, and clients can renew leases through built-in APIs before they expire.
  • Revocation: Vault supports revoking not just individual secrets but an entire tree of secrets, for example everything read by a specific user or all secrets of a given type, which is useful for key rolling or locking down a system during an active intrusion.
  • Detailed audit logging: Every secret access is recorded, giving a clear record of who accessed what and when.

Ideal use cases

Vault fits organizations running service-oriented or microservice architectures that need a central, auditable place to manage database credentials, API keys, and inter-service secrets, especially where manual secret rotation and ad hoc access tracking have become unmanageable. Its dynamic secrets feature is particularly valuable for cloud infrastructure and databases, since credentials can be generated on demand and automatically revoked rather than living indefinitely in a config file.

It's a substantial piece of infrastructure to operate correctly. Vault requires understanding of leasing, backend storage choices, and access policies, and getting the operational model wrong (for example, mismanaging unseal keys or storage backends) can lock you out of your own secrets. For a single small application with a handful of static credentials, a simpler secrets solution may be enough; Vault's value grows with the number of services, secret types, and access boundaries you need to manage.

Installation

Vault provides both an open source edition and Vault Enterprise; check the HashiCorp website for downloads and packaged releases in most environments.

To build Vault from source for development, you'll need Go installed, with GOPATH and GOBIN configured and $GOPATH/bin on your path. Clone the repository outside your GOPATH, since Vault uses Go Modules, then bootstrap the build tools:

make bootstrap

Build a development binary with:

make dev
bin/vault

To include the UI in your development build:

make static-dist dev-ui
bin/vault

Run the test suite, which requires Docker:

make test

To scope tests to a specific package:

make test TEST=./vault

Acceptance tests exercise real secret and auth method integrations and can create, modify, or destroy actual resources, which may incur real costs; run them at your own risk, ideally in a dedicated test account:

make testacc TEST=./builtin/logical/consul

The repository also publishes two importable Go libraries, github.com/hashicorp/vault/api and github.com/hashicorp/vault/sdk, though importing the main Vault module itself into other projects is not a supported usage pattern. For programming language-specific examples of interacting with a running Vault server, see the separate vault-examples repository and the hello-vault-go sample application.

Frequently asked questions

Share:

Stars
35.9K
Forks
4.7K
Last commit
13 hours ago
Repository age
11 years
Self-hosted
No
Activity score
85/100
View Repository
Built with:

Similar to vault

Favicon

 

  
  
Favicon

 

  
  
Favicon