Vault

Industry-standard identity-based secrets management — dynamic secrets, encryption-as-a-service, and PKI.

Overview

Vault is the most feature-rich secrets management platform, providing dynamic secrets (short-lived, auto-revoked credentials), encryption-as-a-service (Transit), PKI certificate management, and centralized identity-based access control. It supports multi-cloud, hybrid, and Kubernetes environments.

Key Facts

Attribute	Detail
Website	vaultproject.io
Stars	~31k+ ⭐
Latest Version	v1.21.4 (March 2026)
Language	Go
License	⚠️ BSL 1.1 (same as Terraform)
Company	HashiCorp (IBM)
OSS Fork	OpenBao (Linux Foundation)

Evaluation

Pros	Cons
Dynamic secrets — most powerful feature	⚠️ BSL 1.1 license
Encryption-as-a-service (Transit)	Complex to operate (unseal, HA, DR)
PKI / certificate management	Heavyweight for simple use cases
100+ auth methods and secret engines	Enterprise features require paid license
Audit logging, namespaces	OpenBao fork fragmenting ecosystem
Integrated Storage (Raft)

Architecture

flowchart TB
    subgraph Vault_A["Vault Cluster"]
        API_V["API Server\n(HTTP/gRPC)"]
        Barrier["Encryption Barrier"]
        Storage_V["Storage Backend\n(Raft / Consul)"]
        SE["Secret Engines\n(KV, Transit, PKI, DB, AWS...)"]
        Auth["Auth Methods\n(K8s, OIDC, AppRole, LDAP...)"]
    end

    App["Application"] -->|"authenticate"| Auth
    Auth -->|"token"| API_V
    App -->|"read/write secret"| API_V
    API_V --> Barrier -->|"encrypted"| Storage_V
    API_V --> SE

    style Vault_A fill:#000,color:#fff
    style Barrier fill:#f9a825,color:#000

Key Features

Feature	Detail
Dynamic secrets	Auto-generated, short-lived DB/cloud creds
Transit	Encrypt/decrypt without exposing keys
PKI	Full CA, intermediate CAs, cert issuance
KV v2	Versioned key-value secret storage
Database secrets	Dynamic creds for PG, MySQL, MongoDB, etc.
Cloud secrets	Dynamic AWS IAM, GCP SA, Azure creds
K8s auth	Service account → Vault token
Namespaces	Multi-tenant isolation (Enterprise)

Notes

• How It Works
• Architecture
• Operations
• Benchmarks
• Commands & Recipes
• Security
• Sources
• Questions

---

Sources

• Vault Docs
• Architecture
• Secret Engines
• GitHub
• OpenBao — Linux Foundation OSS fork

---

Questions

Answered

• Q: Can Vault auto-unseal? -- Yes. Vault supports auto-unseal using cloud key management systems: AWS KMS, GCP Cloud KMS, Azure Key Vault, the Transit secrets engine of another Vault cluster, or a PKCS#11 HSM. Auto-unseal eliminates the need for operators to manually provide Shamir key shares after every Vault restart.

• Q: What is the difference between KV v1 and KV v2? -- KV v1 is a simple key-value store with no versioning. KV v2 adds versioned secrets (keeping a configurable number of historical versions), check-and-set semantics for concurrent writes, and a metadata endpoint for custom metadata. KV v2 paths are prefixed with data/ and metadata/ under the mount point.

• Q: What happens when a Vault node fails in a Raft cluster? -- If the failed node is a follower, the cluster continues operating normally with reduced read capacity. If the failed node is the leader, Raft triggers a leader election among the remaining nodes. A new leader is elected if a quorum of nodes (majority) is still available. The failed node rejoins as a follower when it recovers.

• Q: How does Vault handle secret rotation? -- For dynamic secrets (Database, AWS, PKI engines), Vault generates new credentials with each request and automatically revokes them when the lease expires. For static secrets (KV), Vault does not automatically rotate values. Applications or external automation must update the secret and trigger dependent workload restarts.

• Q: What is the Transit engine used for? -- Transit provides encryption-as-a-service. Applications send plaintext to Vault and receive ciphertext, or send ciphertext and receive plaintext. The encryption keys never leave Vault. Transit supports key rotation with versioning, convergent encryption, and derived keys. Common use cases include encrypting database fields, API payloads, and application-level data without managing keys in the application.

• Q: What is the difference between DR and Performance replication? -- DR (Disaster Recovery) replication copies all data (tokens, leases, auth configs, secrets) to a secondary cluster for business continuity. The secondary is read-only until promoted. Performance replication copies a subset of secrets to local clusters for reduced latency. Clients can read locally but writes go to the primary. Performance replication supports path filtering to control which secrets are replicated.

Open

• Q: How does Vault integrate with Kubernetes without the Vault agent? -- The Kubernetes auth method allows pods to authenticate using their ServiceAccount JWT token. Applications call Vault directly using the token obtained from the auth method. The Vault Agent sidecar or CSI provider (vault-csi-provider) can automate token management and secret injection without application code changes.

• Q: What are the operational considerations when migrating from Consul to Integrated Raft Storage? -- Vault provides a vault operator migrate command to copy data from Consul to Raft. The migration requires downtime or a careful rolling update. After migration, Consul is no longer a dependency, simplifying operations. Ensure sufficient disk space for Raft snapshots and adjust the raft storage stanza in the Vault configuration.