HashiCorp Vault Secrets Management

HashiCorp Vault is a secrets management and encryption platform that provides a unified API for managing, storing, and accessing secrets (API keys, passwords, certificates, encryption keys) across infrastructure. Developed by HashiCorp (headquartered in San Francisco, California, founded by Mitchell Hashimoto and Armon Dadgar in 2012) and first released in 2015, Vault is written in Go and designed for cloud-native, hybrid, and on-premises environments. Key features: secrets storage: Vault stores secrets as key-value pairs in an encrypted backend, with secrets never written to disk in plaintext. All data is encrypted using AES-256-GCM with a master key that is itself encrypted by a key splitting algorithm (Shamir's Secret Sharing). Secret engines: pluggable engines for different secret types including KV (key-value static secrets), dynamic secrets (on-demand generation of database credentials, AWS IAM keys, SSH certificates), Transit (encryption-as-a-service for encrypting data without storing it), Identity (identity-based secrets), PKI (X.509 certificate authority), SSH (SSH certificate signing), AWS, GCP, Azure, database (MySQL, PostgreSQL, MongoDB, Cassandra), and TOTP (time-based one-time passwords). Authentication methods: pluggable auth methods including AppRole (for machines), LDAP/Active Directory, OIDC, JWT, Kubernetes Service Accounts, AWS IAM, GCP IAM, Azure, GitHub, TLS certificates, and usernames/passwords. Dynamic secrets: generate short-lived, auto-revoking credentials on demand, reducing the risk of credential theft. Lease management: all secrets have leases with automatic revocation. Encryption-as-a-service: encrypt/decrypt data via API without applications handling keys. Audit logging: all Vault operations are logged to audit devices (file, syslog, socket). Policies: role-based access control (RBAC) using HashiCorp Configuration Language (HCL) policies. Replication for disaster recovery. BSL-1.1.