vault

Vault is a tool for managing secrets in software systems. A secret is any sensitive piece of information that your application needs — database passwords, API keys for third-party services, TLS certificates, SSH keys, and similar credentials. In a modern application with many services and environments, keeping track of all these secrets, controlling who can access which one, rotating them regularly, and knowing when they were accessed becomes extremely difficult without a dedicated tool. That is exactly what Vault provides.

Vault stores secrets in encrypted form so that accessing the raw storage (the files on disk) does not expose the secrets. It can also generate secrets dynamically on demand — for example, when an application needs database access, it can ask Vault for credentials, and Vault creates temporary database credentials on the fly, valid only for a short time before automatically expiring. This means long-lived credentials that can be leaked are replaced with short-lived ones that are safer.

Vault also provides encryption as a service: your application can send data to Vault to be encrypted or decrypted without Vault storing the data, which lets you add encryption to your application without building cryptographic infrastructure yourself. Every secret access is logged for auditing purposes, and secrets can be quickly revoked if a system is compromised.

An operations team, security engineer, or developer working on a system that needs to handle secrets securely — especially in cloud environments, microservices architectures, or CI/CD pipelines — would use Vault. It is written in Go and available as a standalone binary or via Docker.