HashiCorp Developer AI Private beta now available Sign up today
HashiCorp Cloud Platform
HashiCorp Cloud Platform Home

What is HCP Vault Secrets?

HCP Vault Secrets is a SaaS platform which provides secure and simplified workflows for centralizing the storage and managment of secrets such as API keys, database credentials or other sensitive data. Organizations can easily standardize how they protect and manage access to secrets at scale while improving their overall security posture.

Access the quickstart tutorials to learn how to get up and running.

HCP Vault Secrets

Centralized secrets lifecycle management for developers.

Get Started for Free
(opens in new tab)

When should I use HCP Vault Secrets?

Whether your organization is just getting started with secrets management or looking to simplify and improve your existing secrets management processes, HCP Vault Secrets can help at any stage. HCP Vault Secrets provides a secure and flexible access control model for organizations to apply principle of least privilge access controls for secret management and access. Combining strong access control and secret lifecycle management through a single platform, organizations can ensure their secrets are protected and can easily be managed to mitigate risk associated with leaked secrets.

Use cases

HCP Vault Secrets supports the following use cases:

  • Static secrets management: Centralize management of secrets which can be stored and retrieved as key value pairs
  • Auto-rotating Secrets: Automatically manage the rotation of secrets on a set schedule or on-demand as needed
  • Dynamic Secrets: Generate unique-per-client, short-lived secrets on demand
  • Secrets Sync: Sync secrets to third-party platforms while centralizing lifecycle management
  • Workload Identity Federation: Eliminate long-lived credentials in configuration across clients and third-party integrations

Auto-rotating vs. Dynamic Secrets

Auto-rotating and Dynamic Secrets are different strategies for accomplishing the same goal: automating the management of a credential in order to scope down its lifetime and blast radius. While they share the same goal, the workflows for managing their life cycles are different. In short, Dynamic Secrets offer more security while Auto-rotating Secrets are more resilient to the third-party outages and can take advatange of the Secrets Sync feature.

For simplicity the comparisons will focus on a common use case: many copies of a software application running on a compute platform. We will call this application “payments”.

Auto-rotating Secrets

Auto-rotating Secrets are rotated on a schedule in a background job. When a rotation happens, a new credential is stored as the latest active version of the secret. At the same time an older (N - 2) version of the secret becomes inactive. If a secret sync is set up for the parent application, the Auto-rotating secret's values will also be securely synced into the configured third-party destination upon each rotation.

Diagram showing how Auto-rotating Secrets are shared by multiple instances of an application

When an instance of the payments application starts up it will pull the latest version of the secret. This secret is shared with any other instance that has accessed the latest credential during the same rotation window. If the credential becomes invalid it will affect many instances of the payments application.

Pre-creating and sharing secrets amongst consumers allows for low latency and less error prone secret retrieval. A temporary outage of our rotation mechanisms or a third-party credential provider will delay new credentials from being created but existing ones will still be active. Since rotation periods are likely to be in the days or months range, auditing historical secret values becomes easier.

Dynamic Secrets

Dynamic Secrets are generated just-in-time upon retrieval. A unique short-lived credential is returned to each requestor. Therefore, every instance of the payments application will have a different credential with a differerent expiration time. Since these credentials cannot be shared, they also cannot be synced to other destinations.

Diagram showing how Dynamic Secrets are unique per instance of an application

The just-in-time nature of these credentials adds a security benefit -- they are isolated to a single caller and can have a shorter time-to-live. If a credential is leaked it is traceable back to the application instance that requested it, giving additional traceability to forensic investigations.

Compared with Auto-rotating Secrets there may be orders of magnitude more credentials generated and revoked making it harder to audit and store all past historical secret values. Additionally, on-demand credential creation adds latency to the retrieval requests. If the downstream issuing service (provider) has an outage, HCP Vault Secrets may be temporarily unable to mint new secret values.

HCP Vault Secrets vs. HCP Vault Dedicated

HCP Vault Secrets is a multi-tenant, SaaS platform providing teams secure and simplified workflows for secret lifecycle management. Manage and integrate secrets where you need them across your applications and infrastructure.

HCP Vault Dedicated provides single-tenant, managed Vault Enterprise clusters. HCP manages the provisioning, operations, and maintenance of the cluster allowing organizations the flexibility to establish consistent identity based access workflows for secret access and data protection needs.