Secrets Management 

Centrally store, access, and distribute secrets like API keys, AWS IAM/STS credentials, SQL/NoSQL databases, X.509 certificates, SSH credentials, and more.

Get WhitepaperGet Started

Centrally Manage Secrets to Reduce Secrets Sprawl

The Challenge

Secrets for applications and systems need to be centralized and static IP-based solutions don't scale in dynamic environments with frequently changing applications and machines.

The Solution

Vault centrally manages and enforces access to secrets and systems based on trusted sources of application and user identity.

Dan_McTeer_Adobe_HashiConf2017

Using Vault to Protect Adobe's Secrets and User Data Across Clouds and Datacenters

Securing secrets and application data is a complex task for globally distributed organizations. For Adobe, managing secrets for over 20 products across 100,000 hosts, four regions, and trillions of transactions annually requires a different approach altogether.

Read Case Study

Secrets Management Features

CODE:
$ cat vault.config
storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault"
}

listener "tcp" {
  address     = "127.0.0.1:8200"
}

telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

CODE:
$ cat vault.config
storage "consul" {
  address = "127.0.0.1:8500"
  path    = "vault"
}
 
listener "tcp" {
  address     = "127.0.0.1:8200"
}
 
telemetry {
  statsite_address = "127.0.0.1:8125"
  disable_hostname = true
}

Secret Storage

Encrypt and store data in the storage backend of your choice.

Learn More
Dynamic Secrets

Dynamic Secrets

Dynamic secrets are ephemeral, programmatically generated when they are accessed and do not exist until they are read, reducing risk of someone stealing them or another client using the same secrets. Dynamic secrets can be revoked immediately after use, minimizing the life of the secret.

Learn More
Namespaces

Namespaces

Provide secure multi-tenancy with isolated, self-managed environments.

Learn More
Oracle
AWS

Secure Plugins

Extend Vault with pluggable secret engines such as Consul, MySql, AWS, MongoDB, and more.

Learn More
CODE:
$ cat audit.log | jq {
    "time": "2018-08-27T13:17:11.609621226Z",
    "type": "response",
    "auth": {
        "client_token": "hmac-sha256:5c40f1e051ea75b83230a5bf16574090f697dfa22a78e437f12c1c9d226f45a5",
        "accessor": "hmac-sha256:f254a2d442f172f0b761c9fd028f599ad91861ed16ac3a1e8d96771fd920e862",
        "display_name": "token",
        "metadata": null,
        "entity_id": ""
    }
}

CODE:
$ cat audit.log | jq {
    "time": "2018-08-27T13:17:11.609621226Z",
    "type": "response",
    "auth": {
        "client_token": "hmac-sha256:5c40f1e051ea75b83230a5bf16574090f697dfa22a78e437f12c1c9d226f45a5",
        "accessor": "hmac-sha256:f254a2d442f172f0b761c9fd028f599ad91861ed16ac3a1e8d96771fd920e862",
        "display_name": "token",
        "metadata": null,
        "entity_id": ""
    }
}

Detailed Audit Logs

Detailed audit logs provide detailed history of client interaction — authentication, token creation, secret access & revocation — which can be used to detect security breaches and attempted access to systems, and guide policy enforcement.

Learn More
CODE:
$ vault read database/creds/readonly

Key             Value
---             -----
lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
lease_duration  1h0m0s
lease_renewable true
password        A1a-w2xv2zsq4r5ru940
username        v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
[ … ]

$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809

Key             Value
---             -----
lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
lease_duration  1h0m0s
lease_renewable true
$ vault leas

CODE:
$ vault read database/creds/readonly
 
Key             Value
---             -----
lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
lease_duration  1h0m0s
lease_renewable true
password        A1a-w2xv2zsq4r5ru940
username        v-token-readonly-48rt0t36sxp4wy81x8x1-1515627434
[ … ]
 
$ vault renew database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
 
Key             Value
---             -----
lease_id        database/creds/readonly/3e8174da-6ca0-143b-aa8c-4c238aa02809
lease_duration  1h0m0s
lease_renewable true
$ vault leas

Lease and Revoke Secrets

Minimize the impact of secrets exposure by limiting how long credentials can live by creating time-based tokens for automatic or manual revocation and management.

Learn More

Vault Open Source and Enterprise Features

Learn more about secret management features with Vault Open Source and collaboration, governance, and multi-datacenter features with Vault Enterprise.

View FeaturesContact Sales