Introduction to Hashicorp Vault

Features of Hashicorp Vault

• Secured Secrets: Secrets can be stored in Vault as key/value pair. Vault encrypts the secrets before storing them.
• Can generate secrets: Vault has various APIs that integrate well with other authentication managers and so can generate secrets on demand for the applications. Such as to access AWS or SQL database. 
• Secrets Expiry and Renewal: Secrets in Vault have expiry dates. Clients can extend the date using built in APIs. Secrets can also be set up to renew automatically.
• Secrets Revocation: Vault can revoke the secrets to prevent security attacks.
• Available as Open Source, Enterprise and cloud hosted versions.

How does the Vault work

• Authentication: Users/Applications that want to access Vault are authenticated using one of various supported methods such as user name/password, RoleId & Secret ID, TLS certificate or trusted third party authentication.
• Authorization against Policy and Token generation: The authenticated clients are matched against the policies. A token is generated and linked to the policies to which client has access to. Token is then provided to the client in response. The token has a validity period.
• Client Accessing Secrets: Using the provided token and secrets path clients call the Vault. Vault matches the token against the secret paths it has access to and accordingly returns the key/value pair from the secrets path.