Features
Whether you’re starting with storing static secrets, or are ready to adopt dynamic credentials, automate certificate management, and offer data encryption as a service, Vault helps reduce security risks and build operations to scale.
Get started with secrets management.
Centrally store, manage, deploy, and rotate static key/value pair secrets across applications, services, systems, and infrastructure residing on-premises or multi-cloud.
Create namespaces to implement secure multi-tenancy. Provide least privileged access and isolation while ensuring teams can self-manage their own environments.
Leverage authentication methods to assign user policies. Vault enforces authentication as part of the request processing and delegates administration to the relevant configured external auth method.
Connect to a deep ecosystem of partners and trusted identity providers to authenticate to Vault and leverage observability integrations to monitor the usage.
Leverage multiple identities across different platforms with single policy enforcement for access management.
Limit exposure with dynamic secrets and improved performance.
Reduce risk by leveraging dynamic or ephemeral secrets that are generated on demand and can be configured to each unique application, machine, or user for just-in-time, short-lived secrets.
Enable multi-server mode for high availability (HA) for your disaster recovery strategy. This allows configuration across availability zones or regions to protect against outages by running multiple Vault servers.
Leverage Vault to consolidate credentials, manage secrets sprawl across multiple cloud service providers, and automate secrets policies across services.
Deliver your Vault cluster to multiple regions with just a few steps. Support applications that are distributed globally and reduce latency to your secrets.
Meet policy and governance requirements with configurable multi-factor authentication (MFA) to outsource secondary authentication for your application or service to a provider.
Expand secrets management and security across HashiCorp products like Terraform, Boundary, and Consul to tie access policies to tokens or identities, issue and revoke JIT credentials, and authenticate apps and services.
Implement certificate management, key management, and data encryption
Protect data by using Vault's PKI secrets engine to dynamically generate X.509 certificates (KeyFactor). Manage certificate rotation and security with Automated Certificate Management Environment (ACME).
Provide a consistent workflow for distribution and lifecycle management of cryptographic keys in various key management service (KMS) providers. Key management secrets engine (KMSE) allows organizations to maintain centralized control of their keys in Vault while still taking advantage of cryptographic capabilities native to KMS providers.
Relieve the burden of data encryption and decryption from application developers with Vault encryption as a service or transit secrets engine. The transit secrets engine signs and verifies data and generates hashes and hash-based message authentication codes (HMACs).
Leverage data tokenization, such as data masking, to protect sensitive data like credit card numbers and banking details.
Manage Kubernetes secrets with Vault to securely inject secrets into pods and applications.
Integrate with AWS IAM and easily automate access to RDS, Lamda, and other AWS services.
Vault provides several ways to use Kubernetes to securely introduce secrets into applications and infrastructure. Instead of sharing credentials and tokens across pods and services, Vault allows each service to uniquely authenticate and request its own unique credentials.
Database secrets engine lets organizations automatically rotate passwords for existing database users. This makes it easy to integrate existing applications with Vault and leverage the database secrets engine for better secrets management.
Vault's PKI secrets engine dynamically generates X.509 certificates on demand and reduces manual overhead. This allows services to acquire certificates without going through the usual manual process of generating a private key and certificate signing request (CSR), submitting to a certificate authority (CA), and then waiting for the verification and signing process to complete.
Looking for a self-managed solution?