HashiCorp Vault

HashiCorp Vault is an identity-based secrets and encryption management system. It provides a unified interface to manage credentials, API keys, certificates, and other sensitive data across distributed infrastructure. Vault integrates with trusted identity providers to authenticate and authorize access to secrets, supporting both human and machine identities.

What it does

Vault operates as a centralized secrets management platform with multiple secrets engines. The key-value engine stores static secrets like API keys and passwords. The database secrets engine dynamically generates short-lived database credentials with automatic rotation. The transit engine provides encryption-as-a-service, allowing applications to encrypt data without managing keys. Enterprise features include tokenization and data transformation for compliance scenarios.

Authentication methods include Kubernetes, cloud IAM (AWS, Azure, GCP), LDAP, Active Directory, OIDC, and various token-based approaches. Once authenticated, policies written in HashiCorp Configuration Language (HCL) govern which secrets each identity can access.

Deployment options

Vault supports multiple deployment models. The open-source version runs on bare metal, virtual machines, or containers. Official Docker images and Helm charts simplify Kubernetes deployments. HCP Vault Dedicated provides a fully managed SaaS option on HashiCorp Cloud Platform. For air-gapped environments, Vault Enterprise supports replication across regions and disaster recovery configurations.

Storage backends include integrated Raft consensus (recommended), Consul, PostgreSQL, MySQL, and cloud storage services. The Raft backend eliminates external dependencies for most deployments.

Use cases

Manufacturing environments use Vault to secure machine-to-machine communication in Industry 4.0 deployments. IoT devices authenticate via Vault to obtain temporary credentials for MQTT brokers or time-series databases. CI/CD pipelines retrieve signing certificates and registry credentials without hardcoding secrets. OT/IT convergence scenarios benefit from Vault's ability to bridge traditional enterprise identity systems with modern cloud-native infrastructure.

Limitations

• BSL license restrictions: Source-available under Business Source License 1.1, not OSI-compliant open source; production use requires paid license after evaluation period
• Operational complexity: Requires careful cluster sizing, storage backend tuning, and disaster recovery planning for production workloads
• Cold start latency: Seal/unseal operations and leader election can cause brief availability gaps during restarts or failover events
• Enterprise feature gating: Advanced capabilities like transform secrets engine, multi-region replication, and HSM integration require Enterprise license
• Learning curve: Policy syntax, authentication workflows, and secrets engine configuration require dedicated training for operations teams