Learn about secrets management and data protection with HashiCorp Vault

Get Started Skip to Advanced Tracks

Advanced Tracks

Secrets Management

Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.

Tokens and Leases

10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. Understanding the lifecycle of leases means understanding the lifecycle of tokens in some sense.

[Vault 1.0.0 Beta] Tokens

10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. This guide helps you understand the lifecycle of tokens.

Static Secrets: Key/Value Secret Engine

10 minVault supports generating new unseal keys as well as rotating the underlying encryption keys. This guide covers rekeying and rotating Vault's encryption keys.

Versioned Key/Value Secret Engine

10 minVault 0.10.0 introduced version 2 of the key-value secret engine which supports versioning your secrets so that you can undo the accidental deletion of secrets or compare different versions of a secret.

Cubbyhole Response Wrapping

10 minVault provides the capability to wrap the Vault response and store it in a cubbyhole where the holder of the one-time use wrapping token can unwrap it to uncover the secret.

Secrets as a Service: Dynamic Secrets

10 minVault can dynamically generate secrets on-demand for some systems.

Database Root Credential Rotation

10 minVault enables the combined database secret engines to automate the rotation of root credentials.

Build Your Own Certificate Authority (CA)

10 minThe PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.

SSH Secrets Engine: One-Time SSH Password

10 minThe one-time SSH password secrets engine allows Vault to issue a one-time password (OTP) every time a client wants to SSH into a remote host using a helper command on the remote host to perform verification.

Building Plugin Backends

10 minLearn how to build, register, and mount a custom plugin backend.

Tokens and Leases

10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. Understanding the lifecycle of leases means understanding the lifecycle of tokens in some sense.

[Vault 1.0.0 Beta] Tokens

10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. This guide helps you understand the lifecycle of tokens.

Static Secrets: Key/Value Secret Engine

10 minVault supports generating new unseal keys as well as rotating the underlying encryption keys. This guide covers rekeying and rotating Vault's encryption keys.

Versioned Key/Value Secret Engine

10 minVault 0.10.0 introduced version 2 of the key-value secret engine which supports versioning your secrets so that you can undo the accidental deletion of secrets or compare different versions of a secret.

Cubbyhole Response Wrapping

10 minVault provides the capability to wrap the Vault response and store it in a cubbyhole where the holder of the one-time use wrapping token can unwrap it to uncover the secret.

Secrets as a Service: Dynamic Secrets

10 minVault can dynamically generate secrets on-demand for some systems.

Database Root Credential Rotation

10 minVault enables the combined database secret engines to automate the rotation of root credentials.

Build Your Own Certificate Authority (CA)

10 minThe PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.

SSH Secrets Engine: One-Time SSH Password

10 minThe one-time SSH password secrets engine allows Vault to issue a one-time password (OTP) every time a client wants to SSH into a remote host using a helper command on the remote host to perform verification.

Building Plugin Backends

10 minLearn how to build, register, and mount a custom plugin backend.

Looking for specific Vault information? The Vault documentation provides reference material and in-depth details on:

Internals Concepts Configuration CLI Secrets Engines Authentication Methods Audit Devices Plugins