Vault Secrets Management

Vault is a free and open-source secrets management tool designed to securely store, manage, and control access to tokens, passwords, certificates, encryption keys, and other sensitive data. Created by Mitchell Hashimoto and Armon Dadgar at HashiCorp in 2015, Vault provides a unified interface for secrets management across infrastructure, applications, and services. Key features: secrets storage: Vault stores secrets as key-value pairs, supporting both static secrets (manually configured credentials) and dynamic secrets (generated on-demand with automatic expiration). Secrets are encrypted at rest using AES-256-GCM and in transit using TLS. Secret engines: pluggable modules for different secret types. Key-Value engine for generic secret storage. Database engine dynamically generates database credentials. PKI engine acts as a Certificate Authority for X.509 certificates. Transit engine provides encryption-as-a-service (encrypt/decrypt without exposing keys). SSH engine manages SSH key signing. AWS/GCP/Azure engines generate temporary cloud credentials. Identity-based access control: Vault authenticates users and applications via auth methods (Token, AppRole, LDAP, OIDC, Kubernetes, AWS IAM, GitHub, TLS certificates). Authenticated identities are mapped to policies using HCL-based policy language defining fine-grained access rules (path, capabilities: create, read, update, delete, list, sudo). Leasing and renewal: all secrets have leases with TTL (Time To Live). Dynamic secrets are automatically revoked when the lease expires. Audit logging: all requests and responses are logged to audit devices (file, syslog) with sensitive values hashed. High availability: Raft consensus algorithm for clustered deployments with integrated storage. Seal/Unseal: Vault starts sealed; unsealing requires a quorum of key shares (Shamir's Secret Sharing). Go. MPL-2.0.