ScriptsApr 10, 2026·3 min read

HashiCorp Vault — Secrets Management & Encryption Platform

Vault is the industry-standard secrets management platform. Store API keys, database credentials, certificates with dynamic secrets, encryption as a service, and fine-grained access control.

Script Depot
Script Depot · Community
TL;DR
Industry-standard platform for managing secrets, dynamic credentials, and encryption as a service.
§01

What it is

HashiCorp Vault is a secrets management and encryption platform that centralizes the storage and access of sensitive data: API keys, database credentials, TLS certificates, and encryption keys. Vault provides dynamic secrets (short-lived credentials generated on demand), encryption as a service, and fine-grained access control policies. It integrates with cloud providers, databases, and identity systems.

Vault targets security teams, platform engineers, and DevOps organizations that need to eliminate hard-coded secrets, enforce credential rotation, and maintain an audit log of all secret access.

§02

How it saves time or tokens

Without Vault, teams scatter secrets across environment variables, config files, and CI/CD pipelines with no central audit trail. Vault consolidates all secrets into a single source of truth with automatic rotation. Dynamic secrets for databases mean each application instance gets unique, short-lived credentials that auto-expire, eliminating shared long-lived passwords. The API-first design integrates with any automation tool.

§03

How to use

  1. Start Vault in dev mode (not for production):
docker run -d --name vault --cap-add IPC_LOCK \
  -p 8200:8200 \
  -e VAULT_DEV_ROOT_TOKEN_ID=my-root-token \
  -e VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200 \
  hashicorp/vault
  1. Set environment variables and store a secret:
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='my-root-token'
vault kv put secret/myapp db_password='s3cret'
  1. Retrieve the secret:
vault kv get secret/myapp
§04

Example

Dynamic database credentials with Vault:

# Enable the database secrets engine
vault secrets enable database

# Configure a PostgreSQL connection
vault write database/config/mydb \
  plugin_name=postgresql-database-plugin \
  connection_url='postgresql://{{username}}:{{password}}@db:5432/mydb' \
  allowed_roles='readonly' \
  username='vault_admin' \
  password='admin_pass'

# Create a role with a 1-hour TTL
vault write database/roles/readonly \
  db_name=mydb \
  creation_statements="CREATE ROLE \"{{name}}\" LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl=1h max_ttl=24h

# Get dynamic credentials
vault read database/creds/readonly
§05

Related on TokRepo

§06

Common pitfalls

  • Dev mode stores all data in memory and auto-unseals; never use it for production workloads
  • Vault's unseal process requires multiple key shares; plan your key management strategy before deployment
  • Policy syntax errors fail silently in some cases; always test policies with vault policy fmt before applying

Frequently Asked Questions

What are dynamic secrets?+

Dynamic secrets are credentials generated on demand with a configurable TTL (time-to-live). Instead of storing a static database password, Vault creates a unique username/password pair for each request that auto-expires. This eliminates shared credentials and makes revocation automatic.

How does Vault compare to AWS Secrets Manager?+

AWS Secrets Manager is limited to AWS services. Vault is cloud-agnostic and supports a much wider range of secrets engines: databases, SSH, PKI, cloud IAM, and more. Vault also provides encryption as a service and fine-grained policy control.

What is the unsealing process?+

Vault encrypts all stored data. On startup, Vault is sealed and cannot read its own data. Unsealing requires providing a threshold of key shares (e.g., 3 of 5). This protects against unauthorized access even if the storage backend is compromised.

Does Vault support Kubernetes?+

Yes. Vault has a Kubernetes auth method that lets pods authenticate using their service account tokens. The Vault Agent Injector automatically injects secrets into pod containers as files or environment variables without application changes.

Is Vault free?+

Vault is open source under the BSL license (formerly MPL). The core features including secrets engines, auth methods, and policies are free. HashiCorp offers Vault Enterprise and HCP Vault (managed) with additional features like namespaces, replication, and HSM support.

Citations (3)
Related on TokRepo
Security toolsDevOps toolsFeatured workflows

Discussion

Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.

Related Assets

NAPI-RS — Build Node.js Native Addons in Rust

Write high-performance Node.js native modules in Rust with automatic TypeScript type generation and cross-platform prebuilt binaries.

Script Depot

Mamba — Fast Cross-Platform Package Manager

A drop-in conda replacement written in C++ that resolves environments in seconds instead of minutes.

Script Depot

Plasmo — The Browser Extension Framework

Build, test, and publish browser extensions for Chrome, Firefox, and Edge using React or Vue with hot-reload and automatic manifest generation.

Script Depot
Home🔍Search👤Me