// the find
hashicorp/vault
A tool for secrets management, encryption as a service, and privileged access management
Vault is HashiCorp's battle-tested secrets management platform — stores, generates, and revokes secrets with a unified API. It handles everything from static KV pairs to dynamic AWS credentials that self-destruct after a lease expires. The target audience is platform/infra teams who need auditable, centralized secret storage and don't want to bolt that together themselves.
Dynamic secrets are the genuinely useful differentiator: Vault generates short-lived AWS creds, database passwords, or PKI certificates on demand and revokes them automatically — no rotation scripts, no leaked long-lived tokens. The audit log is thorough and pluggable (file, syslog, socket), making compliance much easier to satisfy. The plugin SDK lets you extend Vault with custom auth methods and secret backends without forking the core. Raft storage is now built-in, so you can run a proper HA cluster without depending on Consul.
The Enterprise/OSS split is aggressive — DR replication, namespaces, and MFA are all gated behind a paid license, which catches people off guard when they hit scale. The unsealing ceremony is operationally painful: every restart requires manual key input or a properly configured auto-unseal (which itself requires a cloud KMS or HSM). The HCL configuration format is non-obvious and the learning curve from 'I have it running' to 'I trust this in production' is steep — most teams underestimate it. The Go module structure means importing Vault as a library dependency is explicitly unsupported, so if you want to embed Vault-style secret generation in your own service, you're on your own.