HashiCorp Vault

HashiCorp Vault is the industry standard for secrets management, encryption as a service, and identity-based access control across distributed infrastructure. This HashiCorp Vault review covers the platform's architecture, feature set, pricing tiers, and operational considerations for teams evaluating a centralized secrets management solution. Vault addresses a fundamental challenge in modern infrastructure: how to securely store, access, and rotate sensitive credentials without embedding them in code, configuration files, or CI/CD pipelines. Whether you run a handful of microservices or thousands of workloads across multiple clouds, Vault provides a single control plane for secrets lifecycle management that integrates with virtually every major platform and runtime.

Overview

HashiCorp Vault is a secrets management and encryption platform designed to secure, store, and tightly control access to tokens, passwords, certificates, API keys, and other sensitive data. Originally released in 2015, Vault has matured into a foundational infrastructure component used by thousands of organizations, from startups to Fortune 500 enterprises. The platform operates on an identity-based security model: rather than distributing long-lived credentials, Vault issues short-lived, dynamically generated secrets tied to specific identities and policies. This approach eliminates secret sprawl and dramatically reduces the blast radius of a credential leak. Vault runs as a server process that clients interact with via a RESTful HTTP API, a CLI, or a web UI. It supports high-availability deployments with integrated storage (Raft consensus) or external backends like Consul, and it encrypts all data at rest and in transit. Vault is available as open-source software under the Business Source License (BSL 1.1), as a managed service through HashiCorp Cloud Platform (HCP), and as a self-managed Enterprise product with advanced features.

Key Features and Architecture

Vault's architecture is built around secret engines, authentication methods, policies, and audit devices, each composable and extensible.

Dynamic Secrets are Vault's signature capability. Instead of storing static credentials, Vault generates secrets on demand for databases (PostgreSQL, MySQL, MongoDB, MSSQL), cloud providers (AWS IAM, Azure, GCP), SSH certificates, PKI certificates, and more. Each secret has a configurable TTL and is automatically revoked when it expires. This eliminates the need for manual credential rotation and ensures that leaked credentials have a limited window of usefulness.

Secret Engines are pluggable backends that store, generate, or encrypt data. The KV (key-value) engine handles static secrets with full versioning. The Transit engine provides encryption as a service, allowing applications to encrypt and decrypt data without ever handling raw encryption keys. The PKI engine issues X.509 certificates with automated renewal. The TOTP engine generates time-based one-time passwords. There are over 20 built-in secret engines, and custom engines can be built using Vault's plugin system.

Authentication Methods let Vault verify the identity of clients. Supported methods include cloud platform identity (AWS IAM, Azure MSI, GCP IAM), Kubernetes service accounts, LDAP, OIDC/JWT, GitHub tokens, TLS certificates, AppRole for machine-to-machine auth, and userpass for human operators. Each auth method maps to internal Vault policies that govern what a client can access.

Policies are written in HCL or JSON and define fine-grained access control over every path in Vault. Policies follow a deny-by-default model: clients can only access paths explicitly granted to them.

Audit Logging records every request and response (with sensitive values hashed) to one or more audit devices (file, syslog, socket). This provides a complete, tamper-evident audit trail for compliance requirements like SOC 2, PCI DSS, HIPAA, and GDPR.

Auto-Unseal integrates with cloud KMS services (AWS KMS, Azure Key Vault, GCP Cloud KMS) or HSMs to automatically unseal Vault after a restart, eliminating the manual Shamir key-sharing ceremony in production environments.

Replication (Enterprise/HCP) provides both disaster recovery replication and performance replication across data centers and regions, enabling global deployments with local read performance.

Ideal Use Cases

DevOps and Platform Engineering Teams managing secrets across CI/CD pipelines, Kubernetes clusters, and cloud accounts benefit most from Vault. Its native integrations with Terraform, Nomad, Consul, Kubernetes (via the Vault Agent sidecar injector or CSI provider), and every major CI system (GitHub Actions, GitLab CI, Jenkins, CircleCI) make it a natural fit for infrastructure-as-code workflows.

Zero-Trust Architectures rely on Vault as the identity broker that issues short-lived credentials to workloads based on verified identity rather than network location. Dynamic secrets and certificate-based mutual TLS (mTLS) via the PKI engine are core building blocks for zero-trust networking.

Compliance-Driven Organizations in finance, healthcare, and government use Vault's audit logging, policy enforcement, and encryption-as-a-service capabilities to satisfy regulatory requirements. The Transit engine's ability to encrypt application data without exposing keys to developers is particularly valuable for PCI DSS and HIPAA compliance.

Multi-Cloud and Hybrid Environments where teams need a single, cloud-agnostic secrets management layer rather than locking into AWS Secrets Manager, Azure Key Vault, or GCP Secret Manager individually. Vault abstracts away provider-specific APIs behind a consistent interface.

Database Credential Rotation for organizations that need to eliminate shared, long-lived database passwords. Vault's database secret engine creates unique, short-lived credentials per application instance and revokes them automatically.

Don't use HashiCorp Vault if your team is small, runs entirely within a single cloud provider, and only needs to manage a handful of static secrets. In that scenario, your cloud provider's native secrets manager (AWS Secrets Manager, GCP Secret Manager) is simpler to operate and costs less in engineering time.

Pricing and Licensing

HashiCorp Vault offers four distinct tiers that scale from individual developers to global enterprises.

Open Source (Community Edition) is free and self-hosted. It includes core secrets management, all secret engines, all auth methods, audit logging, and the Raft integrated storage backend. This tier is production-ready and used by many organizations at scale. The license changed from MPL 2.0 to Business Source License (BSL 1.1) in August 2023, which restricts competing hosted services but does not affect end-user deployments.

HCP Vault Dedicated (Development) starts at $0.03/hr, approximately $22/month, for development-tier clusters on HashiCorp Cloud Platform. Development clusters are suitable for testing and staging environments but do not include SLA guarantees or multi-region replication.

HCP Vault Plus starts at $1.58/hr for production workloads with SLA-backed uptime, automatic upgrades, managed snapshots, and audit log streaming. This tier is designed for teams that want Vault's full feature set without the operational burden of self-managing the cluster. Monthly costs scale with cluster size and typically range from $1,150 to $3,500/month for production-grade deployments.

Enterprise (Self-Managed) carries custom pricing negotiated directly with HashiCorp. Enterprise features include namespaces for multi-tenancy, performance and disaster recovery replication, HSM auto-unseal (PKCS#11), Sentinel policy-as-code, control groups for break-glass workflows, and FIPS 140-2 certified binaries. Typical Enterprise contracts start at $50,000/year and scale with cluster count and node count.

All paid tiers include HashiCorp support. The open-source edition relies on community support via the HashiCorp discussion forum and GitHub issues.

Pros and Cons

Pros

• Free open-source tier with full core functionality. Unlike many competitors, the OSS edition includes dynamic secrets, all secret engines, all auth methods, and audit logging at no cost.
• Dynamic secrets eliminate credential sprawl. Automatically generated, short-lived credentials for databases, cloud providers, and PKI are a fundamental security improvement over static secrets.
• Broad ecosystem integration. Native support for AWS, Azure, GCP, Kubernetes, Terraform, Consul, Nomad, every major database, and dozens of CI/CD platforms means Vault fits into virtually any stack.
• Encryption as a service via the Transit engine. Applications can offload encryption/decryption to Vault without managing keys, which simplifies compliance and reduces risk.
• Mature and battle-tested. Over nine years of production use across thousands of organizations, with a well-documented API, active community, and extensive third-party tooling.
• Policy-as-code and audit logging. Fine-grained HCL policies and comprehensive audit trails satisfy enterprise compliance requirements out of the box.

Cons

• Operational complexity is significant. Self-managed Vault requires expertise in unsealing, storage backend configuration, cluster upgrades, disaster recovery, and monitoring. The learning curve for operators is steep.
• HCP managed service pricing scales quickly. While development clusters start at $22/month, production-grade HCP Vault Plus deployments easily exceed $1,000/month, which may not fit smaller teams' budgets.
• BSL license change introduced uncertainty. The 2023 shift from MPL 2.0 to BSL 1.1 concerned some open-source users and spawned the OpenBao fork. Teams evaluating Vault should verify that BSL terms align with their use case.
• Steep learning curve for developers. Vault's flexibility means there are many concepts to master: policies, token hierarchies, lease management, auth methods, and engine configurations. Onboarding developers requires deliberate investment.

Alternatives and How It Compares

AWS Secrets Manager is the natural choice for teams running exclusively on AWS. It offers native integration with RDS, Redshift, and Lambda, automatic rotation for supported services, and straightforward per-secret pricing at $0.40/secret/month. It lacks Vault's dynamic secret generation, cross-cloud support, and encryption-as-a-service capabilities, making it less suitable for multi-cloud or complex credential workflows.

Azure Key Vault provides secrets, key, and certificate management tightly integrated with Azure services. Pricing is consumption-based (per-operation). Like AWS Secrets Manager, it is cloud-specific and does not offer dynamic secrets or policy-as-code comparable to Vault.

CyberArk Conjur targets enterprise privileged access management with a focus on compliance and auditing. It offers an open-source edition and an enterprise tier. Conjur is strong in legacy enterprise environments but has a narrower integration ecosystem and less community adoption than Vault.

Doppler is a developer-friendly secrets manager focused on environment variable management across development, staging, and production. It excels at simplicity with a clean UI and CI/CD integrations, starting at $4/user/month. Doppler is ideal for application-level secret management but lacks Vault's dynamic secrets, PKI, encryption-as-a-service, and infrastructure-level capabilities.

Vault's primary advantage over all alternatives is its breadth: dynamic secrets, encryption as a service, PKI, cloud-agnostic identity, and policy-as-code in a single platform. The trade-off is operational and conceptual complexity that cloud-native or developer-focused alternatives avoid.