Skills2026年4月10日·1 分钟阅读

HashiCorp Vault — Secrets Management & Encryption Platform

Vault is the industry-standard secrets management platform. Store API keys, database credentials, certificates with dynamic secrets, encryption as a service, and fine-grained access control.

HashiCorp
HashiCorp · Community
Agent 就绪

这个资产会安全暂存

这个资产会先安全暂存。复制的指令会要求 Agent 读取暂存文件,并在激活脚本、MCP 配置或全局配置前先确认。

Stage only · 29/100策略:需暂存
Agent 入口
任意 MCP/CLI Agent
类型
Skill
安装
Stage only
信任
信任等级:Community
入口
step-1.md
安全暂存命令
npx -y tokrepo@latest install d359a6e1-3530-11f1-9bc6-00163e2b0d79 --target codex

先暂存文件;激活前需要读取暂存 README 和安装计划。

TL;DR
Industry-standard platform for managing secrets, dynamic credentials, and encryption as a service.
§01

What it is

HashiCorp Vault is a secrets management and encryption platform that centralizes the storage and access of sensitive data: API keys, database credentials, TLS certificates, and encryption keys. Vault provides dynamic secrets (short-lived credentials generated on demand), encryption as a service, and fine-grained access control policies. It integrates with cloud providers, databases, and identity systems.

Vault targets security teams, platform engineers, and DevOps organizations that need to eliminate hard-coded secrets, enforce credential rotation, and maintain an audit log of all secret access.

§02

How it saves time or tokens

Without Vault, teams scatter secrets across environment variables, config files, and CI/CD pipelines with no central audit trail. Vault consolidates all secrets into a single source of truth with automatic rotation. Dynamic secrets for databases mean each application instance gets unique, short-lived credentials that auto-expire, eliminating shared long-lived passwords. The API-first design integrates with any automation tool.

§03

How to use

  1. Start Vault in dev mode (not for production):
docker run -d --name vault --cap-add IPC_LOCK \
  -p 8200:8200 \
  -e VAULT_DEV_ROOT_TOKEN_ID=my-root-token \
  -e VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200 \
  hashicorp/vault
  1. Set environment variables and store a secret:
export VAULT_ADDR='http://127.0.0.1:8200'
export VAULT_TOKEN='my-root-token'
vault kv put secret/myapp db_password='s3cret'
  1. Retrieve the secret:
vault kv get secret/myapp
§04

Example

Dynamic database credentials with Vault:

# Enable the database secrets engine
vault secrets enable database

# Configure a PostgreSQL connection
vault write database/config/mydb \
  plugin_name=postgresql-database-plugin \
  connection_url='postgresql://{{username}}:{{password}}@db:5432/mydb' \
  allowed_roles='readonly' \
  username='vault_admin' \
  password='admin_pass'

# Create a role with a 1-hour TTL
vault write database/roles/readonly \
  db_name=mydb \
  creation_statements="CREATE ROLE \"{{name}}\" LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
  default_ttl=1h max_ttl=24h

# Get dynamic credentials
vault read database/creds/readonly
§05

Related on TokRepo

§06

Common pitfalls

  • Dev mode stores all data in memory and auto-unseals; never use it for production workloads
  • Vault's unseal process requires multiple key shares; plan your key management strategy before deployment
  • Policy syntax errors fail silently in some cases; always test policies with vault policy fmt before applying

常见问题

What are dynamic secrets?+

Dynamic secrets are credentials generated on demand with a configurable TTL (time-to-live). Instead of storing a static database password, Vault creates a unique username/password pair for each request that auto-expires. This eliminates shared credentials and makes revocation automatic.

How does Vault compare to AWS Secrets Manager?+

AWS Secrets Manager is limited to AWS services. Vault is cloud-agnostic and supports a much wider range of secrets engines: databases, SSH, PKI, cloud IAM, and more. Vault also provides encryption as a service and fine-grained policy control.

What is the unsealing process?+

Vault encrypts all stored data. On startup, Vault is sealed and cannot read its own data. Unsealing requires providing a threshold of key shares (e.g., 3 of 5). This protects against unauthorized access even if the storage backend is compromised.

Does Vault support Kubernetes?+

Yes. Vault has a Kubernetes auth method that lets pods authenticate using their service account tokens. The Vault Agent Injector automatically injects secrets into pod containers as files or environment variables without application changes.

Is Vault free?+

Vault is open source under the BSL license (formerly MPL). The core features including secrets engines, auth methods, and policies are free. HashiCorp offers Vault Enterprise and HCP Vault (managed) with additional features like namespaces, replication, and HSM support.

引用来源 (3)
TokRepo 相关
Security toolsDevOps toolsFeatured workflows

讨论

登录后参与讨论。
还没有评论,来写第一条吧。

相关资产

OpenBao — Community-Driven Open Source Secrets Manager

OpenBao is an open-source fork of HashiCorp Vault created after the license change to BSL. It provides the same secrets management, encryption as a service, and identity-based access capabilities under the MPL-2.0 license, maintained by the Linux Foundation.

Skills
AI Open Source

sops — Simple and Flexible Secrets Management

sops (Secrets OPerationS) encrypts values in YAML, JSON, ENV, and INI files while keeping keys in plaintext. This lets you version-control encrypted secrets in Git, using age, AWS KMS, GCP KMS, Azure Key Vault, or PGP as encryption backends.

Skills
Script Depot

External Secrets Operator — Sync Secrets from Any Vault to Kubernetes

CNCF operator that pulls secrets from AWS Secrets Manager, Vault, GCP, Azure, 1Password, Doppler, and 25+ other backends into native Kubernetes Secret objects.

Skills
AI Open Source

Boundary — Secure Remote Access by HashiCorp

An identity-based access management tool that replaces traditional VPNs with fine-grained, identity-aware connections to infrastructure resources without exposing networks.

Skills
HashiCorp
首页🔍搜索👤我的