Learn about secrets management and data protection with HashiCorp Vault
Getting Started
Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. Get started here.
Run Vault on Kubernetes
Vault deployments on Kubernetes offer all the valuable benefits of Vault. Get started with Vault on Kubernetes here.
Vault Installation to Minikube via Helm
40 minDeploy Vault on Kubernetes locally using Minikube with the official Helm chart.
Injecting Secrets into Kubernetes Pods via Vault Helm Sidecar
40 minDeploy Vault-unaware applications on Kubernetes that consume Vault Secrets.
Vault on Kubernetes Reference Architecture
8 minThis document is a Reference Architecture for a supportable and "best practices" deployment of HashiCorp Vault on the Kubernetes cluster scheduler.
Vault on Kubernetes Security Considerations
10 minSecurity concerns around Vault running on Kubernetes.
Product Certification Exam Prep
Study and review guides for the HashiCorp Certified: Vault Associate exam.
Vault Installation to Minikube via Helm
40 minDeploy Vault on Kubernetes locally using Minikube with the official Helm chart.
Injecting Secrets into Kubernetes Pods via Vault Helm Sidecar
40 minDeploy Vault-unaware applications on Kubernetes that consume Vault Secrets.
Vault on Kubernetes Reference Architecture
8 minThis document is a Reference Architecture for a supportable and "best practices" deployment of HashiCorp Vault on the Kubernetes cluster scheduler.
Vault on Kubernetes Security Considerations
10 minSecurity concerns around Vault running on Kubernetes.
Operations and Development Tracks
Tech Preview / Beta
Introducing new features that are currently in Tech Preview or Beta mode.
Day 1: Deploying Your First Vault Cluster
This learning path is designed to help you deploy your first Vault cluster. If you are responsible for setting up and maintaining a healthy cluster, this learning path will help you do so successfully.
Day 1 Introduction
2 minThis learning path is designed to help you deploy your first Vault cluster.
Vault Reference Architecture
8 minThis guide provides guidance in the best practices of Vault implementations through use of a reference architecture.
Production Hardening
10 minThis guide provides guidance on best practices for a production hardened deployment of HashiCorp Vault.
Vault Deployment Guide
10 minThis deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the Vault Reference Architecture
Vault High Availability with Consul
10 minThis guide will walk you through a simple Vault Highly Available (HA) cluster implementation. While this is not an exhaustive or prescriptive guide that can be used as a drop-in production example, it covers the basics enough to inform your own production setup.
Secrets Management
Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret while providing tight access control and recording a detailed audit log.
Introduction
2 minThis learning path provides tutorials for a number of Vault secrets engines.
Static Secrets: Key/Value Secrets Engine
10 minVault supports generating new unseal keys as well as rotating the underlying encryption keys. This guide covers rekeying and rotating Vault's encryption keys.
Versioned Key/Value Secrets Engine
10 minVault 0.10.0 introduced version 2 of the key-value secrets engine which supports versioning your secrets so that you can undo the accidental deletion of secrets or compare different versions of a secret.
Cubbyhole Response Wrapping
10 minVault provides the capability to wrap the Vault response and store it in a cubbyhole where the holder of the one-time use wrapping token can unwrap it to uncover the secret.
Secrets as a Service: Dynamic Secrets
10 minVault can dynamically generate secrets on-demand for some systems.
Data Encryption
Vault provides Encryption as a Service (EaaS) to enable security teams to fortify data during transit and at rest. So even if an intrusion occurs, your data is encrypted and the attacker would never get a hold of the raw data.
Introduction
2 minThis learning path provides tutorials for using Vault as a encryption service provider in your organization.
Encryption as a Service: Transit Secrets Engine
10 minHashiCorp Vault's transit secrets engine handles cryptographic functions on data in-transit. It can also be understood as encryption as a service.
Transit Secrets Re-wrapping
10 minThe goal of this guide is to demonstrate one possible way to re-wrap data after rotating an encryption key in the transit engine in Vault.
Java Application Demo
15 minThis guide discusses the concepts necessary to help users understand Vault's AppRole authentication pattern and how to use it to securely introduce a Vault authentication token to a target server, application, container, etc. in a Java environment.
[Enterprise] HSM Integration - Seal Wrap
10 minThis guide demonstrates how Vault's seal wrap feature works to encrypt your secrets leveraging FIPS 140-2 certified HSM.
Access Management
This learning path guides you through the access management topics including policy authoring, authentication, identity, and secure introduction of Vault clients.
Introduction
2 minThis learning path provides tutorials for writing Vault policies as well as working with a various authentication methods.
Vault Policies
10 minPolicies provide a declarative way to grant or forbid access to certain paths and operations in Vault. This guide walks through policy creation workflows.
Identity: Entities and Groups
10 minThis guide demonstrates the commands to create entities, entity aliases, and groups. For the purpose of the demonstration, the userpass auth method will be used.
ACL Policy Path Templating
10 minAs of 0.11, ACL policies support templating to allow non-static policy paths.
[Enterprise] Sentinel Policies
10 minVault Enterprise supports Sentinel to provide a rich set of access control functionality. This guide walks through the creation and use of role governing policies (RGPs) and endpoint governing policies (EGPs).
Monitoring & Troubleshooting
This learning path provides Vault monitoring and troubleshooting guides.
Troubleshooting Vault
10 minThis guide walks you through a few general approaches to finding errors and troubleshooting Vault. You will learn the difference between audit and operational logs, and how to approach rooting out a bug.
[Enterprise] Monitoring Vault Replication
15 minLearn how to check the health of your Vault replication setup and troubleshoot if a problem occurs.
Vault Cluster Monitoring
30 minThis guide walks you through how to monitor Vault with Consul as its storage backend. You will learn how to configure Vault and Consul to send telemetry to a monitoring agent, and which key metrics to pay attention.
Security
This learning path focuses on the topics that are related to tightening the access to secrets managed by Vault. This includes Entities & Groups, Control Groups, Mount Filters, and Namespaces.
Tokens
10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. This guide helps you understand the lifecycle of tokens.
Secure Introduction of Vault Clients
10 minThis introductory guide walk through the mechanism of Vault clients to authenticate with Vault. There are two approaches at a high-level: platform integration, and trusted orchestrator.
AppRole With Terraform & Chef
20 minThis guide discusses the concepts necessary to help users understand Vault's AppRole authentication pattern and how to use it to securely introduce a Vault authentication token to a target server, application, or container.
[Enterprise] KMIP Secrets Engine
8 minVault 1.2 introduced a Key Management Interoperability Protocol (KMIP) secrets engine which allows Vault to serve as a KMIP server.
Build Your Own Certificate Authority (CA)
10 minThe PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.
Operations
This learning path is designed for the operations professional who will stand up Vault and manage certificates, replication, user accounts, and more.
Vault Reference Architecture
8 minThis guide provides guidance in the best practices of Vault implementations through use of a reference architecture.
Production Hardening
10 minThis guide provides guidance on best practices for a production hardened deployment of HashiCorp Vault.
Vault Deployment Guide
10 minThis deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the Vault Reference Architecture
Vault High Availability with Consul
10 minThis guide will walk you through a simple Vault Highly Available (HA) cluster implementation. While this is not an exhaustive or prescriptive guide that can be used as a drop-in production example, it covers the basics enough to inform your own production setup.
[BETA] Vault HA Cluster with Integrated Storage
30 minA storage backend is responsible for providing durable storage of encrypted data. Vault supports a number of configurable storage options (e.g. Consul, Cassandra, MySQL, etc.). Vault's integrated storage is introduced as a new storage directly implemented within Vault.
Developer
This learning path is designed for developers who are integrating their systems with Vault to protect their sensitive data.
Tokens
10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. This guide helps you understand the lifecycle of tokens.
Static Secrets: Key/Value Secrets Engine
10 minVault supports generating new unseal keys as well as rotating the underlying encryption keys. This guide covers rekeying and rotating Vault's encryption keys.
Versioned Key/Value Secrets Engine
10 minVault 0.10.0 introduced version 2 of the key-value secrets engine which supports versioning your secrets so that you can undo the accidental deletion of secrets or compare different versions of a secret.
Cubbyhole Response Wrapping
10 minVault provides the capability to wrap the Vault response and store it in a cubbyhole where the holder of the one-time use wrapping token can unwrap it to uncover the secret.
Secrets as a Service: Dynamic Secrets
10 minVault can dynamically generate secrets on-demand for some systems.
Day 1 Introduction
2 minThis learning path is designed to help you deploy your first Vault cluster.
Vault Reference Architecture
8 minThis guide provides guidance in the best practices of Vault implementations through use of a reference architecture.
Production Hardening
10 minThis guide provides guidance on best practices for a production hardened deployment of HashiCorp Vault.
Vault Deployment Guide
10 minThis deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the Vault Reference Architecture
Vault High Availability with Consul
10 minThis guide will walk you through a simple Vault Highly Available (HA) cluster implementation. While this is not an exhaustive or prescriptive guide that can be used as a drop-in production example, it covers the basics enough to inform your own production setup.
Introduction
2 minThis learning path provides tutorials for a number of Vault secrets engines.
Static Secrets: Key/Value Secrets Engine
10 minVault supports generating new unseal keys as well as rotating the underlying encryption keys. This guide covers rekeying and rotating Vault's encryption keys.
Versioned Key/Value Secrets Engine
10 minVault 0.10.0 introduced version 2 of the key-value secrets engine which supports versioning your secrets so that you can undo the accidental deletion of secrets or compare different versions of a secret.
Cubbyhole Response Wrapping
10 minVault provides the capability to wrap the Vault response and store it in a cubbyhole where the holder of the one-time use wrapping token can unwrap it to uncover the secret.
Secrets as a Service: Dynamic Secrets
10 minVault can dynamically generate secrets on-demand for some systems.
Introduction
2 minThis learning path provides tutorials for using Vault as a encryption service provider in your organization.
Encryption as a Service: Transit Secrets Engine
10 minHashiCorp Vault's transit secrets engine handles cryptographic functions on data in-transit. It can also be understood as encryption as a service.
Transit Secrets Re-wrapping
10 minThe goal of this guide is to demonstrate one possible way to re-wrap data after rotating an encryption key in the transit engine in Vault.
Java Application Demo
15 minThis guide discusses the concepts necessary to help users understand Vault's AppRole authentication pattern and how to use it to securely introduce a Vault authentication token to a target server, application, container, etc. in a Java environment.
[Enterprise] HSM Integration - Seal Wrap
10 minThis guide demonstrates how Vault's seal wrap feature works to encrypt your secrets leveraging FIPS 140-2 certified HSM.
Introduction
2 minThis learning path provides tutorials for writing Vault policies as well as working with a various authentication methods.
Vault Policies
10 minPolicies provide a declarative way to grant or forbid access to certain paths and operations in Vault. This guide walks through policy creation workflows.
Identity: Entities and Groups
10 minThis guide demonstrates the commands to create entities, entity aliases, and groups. For the purpose of the demonstration, the userpass auth method will be used.
ACL Policy Path Templating
10 minAs of 0.11, ACL policies support templating to allow non-static policy paths.
[Enterprise] Sentinel Policies
10 minVault Enterprise supports Sentinel to provide a rich set of access control functionality. This guide walks through the creation and use of role governing policies (RGPs) and endpoint governing policies (EGPs).
Troubleshooting Vault
10 minThis guide walks you through a few general approaches to finding errors and troubleshooting Vault. You will learn the difference between audit and operational logs, and how to approach rooting out a bug.
[Enterprise] Monitoring Vault Replication
15 minLearn how to check the health of your Vault replication setup and troubleshoot if a problem occurs.
Vault Cluster Monitoring
30 minThis guide walks you through how to monitor Vault with Consul as its storage backend. You will learn how to configure Vault and Consul to send telemetry to a monitoring agent, and which key metrics to pay attention.
Tokens
10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. This guide helps you understand the lifecycle of tokens.
Secure Introduction of Vault Clients
10 minThis introductory guide walk through the mechanism of Vault clients to authenticate with Vault. There are two approaches at a high-level: platform integration, and trusted orchestrator.
AppRole With Terraform & Chef
20 minThis guide discusses the concepts necessary to help users understand Vault's AppRole authentication pattern and how to use it to securely introduce a Vault authentication token to a target server, application, or container.
[Enterprise] KMIP Secrets Engine
8 minVault 1.2 introduced a Key Management Interoperability Protocol (KMIP) secrets engine which allows Vault to serve as a KMIP server.
Build Your Own Certificate Authority (CA)
10 minThe PKI secrets engine generates dynamic X.509 certificates. With this secrets engine, services can get certificates without going through the usual manual process of generating a private key and CSR, submitting to a CA, and waiting for a verification and signing process to complete. Vault's built-in authentication and authorization mechanisms provide the verification functionality.
Vault Reference Architecture
8 minThis guide provides guidance in the best practices of Vault implementations through use of a reference architecture.
Production Hardening
10 minThis guide provides guidance on best practices for a production hardened deployment of HashiCorp Vault.
Vault Deployment Guide
10 minThis deployment guide covers the steps required to install and configure a single HashiCorp Vault cluster as defined in the Vault Reference Architecture
Vault High Availability with Consul
10 minThis guide will walk you through a simple Vault Highly Available (HA) cluster implementation. While this is not an exhaustive or prescriptive guide that can be used as a drop-in production example, it covers the basics enough to inform your own production setup.
[BETA] Vault HA Cluster with Integrated Storage
30 minA storage backend is responsible for providing durable storage of encrypted data. Vault supports a number of configurable storage options (e.g. Consul, Cassandra, MySQL, etc.). Vault's integrated storage is introduced as a new storage directly implemented within Vault.
Tokens
10 minTokens are the core method for authentication within Vault. For every authentication token and dynamic secret, Vault creates a lease containing information such as duration, renewability, and more. This guide helps you understand the lifecycle of tokens.
Static Secrets: Key/Value Secrets Engine
10 minVault supports generating new unseal keys as well as rotating the underlying encryption keys. This guide covers rekeying and rotating Vault's encryption keys.
Versioned Key/Value Secrets Engine
10 minVault 0.10.0 introduced version 2 of the key-value secrets engine which supports versioning your secrets so that you can undo the accidental deletion of secrets or compare different versions of a secret.
Cubbyhole Response Wrapping
10 minVault provides the capability to wrap the Vault response and store it in a cubbyhole where the holder of the one-time use wrapping token can unwrap it to uncover the secret.
Secrets as a Service: Dynamic Secrets
10 minVault can dynamically generate secrets on-demand for some systems.
Looking for specific Vault information? The Vault documentation provides reference material and in-depth details on: