HashiCorp Vault
Industry-standard identity-based secrets management — dynamic secrets, encryption-as-a-service, and PKI.
Overview
Vault is the most feature-rich secrets management platform, providing dynamic secrets (short-lived, auto-revoked credentials), encryption-as-a-service (Transit), PKI certificate management, and centralized identity-based access control. It supports multi-cloud, hybrid, and Kubernetes environments.
Key Facts
| Attribute |
Detail |
| Website |
vaultproject.io |
| Stars |
~31k+ ⭐ |
| Latest Version |
v1.21.4 (March 2026) |
| Language |
Go |
| License |
⚠️ BSL 1.1 (same as Terraform) |
| Company |
HashiCorp (IBM) |
| OSS Fork |
OpenBao (Linux Foundation) |
Evaluation
| Pros |
Cons |
| Dynamic secrets — most powerful feature |
⚠️ BSL 1.1 license |
| Encryption-as-a-service (Transit) |
Complex to operate (unseal, HA, DR) |
| PKI / certificate management |
Heavyweight for simple use cases |
| 100+ auth methods and secret engines |
Enterprise features require paid license |
| Audit logging, namespaces |
OpenBao fork fragmenting ecosystem |
| Integrated Storage (Raft) |
|
Architecture
flowchart TB
subgraph Vault_A["Vault Cluster"]
API_V["API Server\n(HTTP/gRPC)"]
Barrier["Encryption Barrier"]
Storage_V["Storage Backend\n(Raft / Consul)"]
SE["Secret Engines\n(KV, Transit, PKI, DB, AWS...)"]
Auth["Auth Methods\n(K8s, OIDC, AppRole, LDAP...)"]
end
App["Application"] -->|"authenticate"| Auth
Auth -->|"token"| API_V
App -->|"read/write secret"| API_V
API_V --> Barrier -->|"encrypted"| Storage_V
API_V --> SE
style Vault_A fill:#000,color:#fff
style Barrier fill:#f9a825,color:#000
Key Features
| Feature |
Detail |
| Dynamic secrets |
Auto-generated, short-lived DB/cloud creds |
| Transit |
Encrypt/decrypt without exposing keys |
| PKI |
Full CA, intermediate CAs, cert issuance |
| KV v2 |
Versioned key-value secret storage |
| Database secrets |
Dynamic creds for PG, MySQL, MongoDB, etc. |
| Cloud secrets |
Dynamic AWS IAM, GCP SA, Azure creds |
| K8s auth |
Service account → Vault token |
| Namespaces |
Multi-tenant isolation (Enterprise) |
Sources