Vault (HashiCorp) - Secret Management
Basic Information
- Product Name: HashiCorp Vault
- Company/Organization: HashiCorp (Acquired by IBM for $6.4 billion in February 2025)
- Country/Region: USA
- Official Website: https://www.hashicorp.com/en/products/vault
- GitHub: https://github.com/hashicorp/vault
- Type: Identity-driven secret management platform
- License: BSL 1.1 (Business Source License) / Community Edition MPL 2.0
- First Release: 2015
Product Description
HashiCorp Vault is an identity-driven secret management tool that provides secure storage, dynamic secrets, data encryption, and identity-based access control. It allows centralized management of API keys, passwords, certificates, and other sensitive data, and automates the creation, usage, expiration, and rotation of secrets through a single API.
Core Features/Characteristics
- Secret Storage: Secure storage and access to API keys, passwords, certificates, etc.
- Dynamic Secrets: Automatically generates temporary credentials for databases and cloud services, which are revoked upon expiration
- Data Encryption: Encryption as a Service (EaaS), eliminating the need to store data directly
- Authentication: Multiple authentication methods (LDAP, OIDC, AWS IAM, Kubernetes, etc.)
- Audit Logging: Detailed access audit records
- Secret Rotation: Automated secret rotation policies
- Namespaces: Multi-tenant isolation
- High Availability: Supports cluster deployment and disaster recovery
Business Model
Open-source community edition + commercial licensing (HCP Vault Dedicated / Enterprise).
Pricing (March 2026)
- Community Edition: Free (self-hosted, core features)
- HCP Vault Dedicated: Starting at $360/month (managed cluster)
- Enterprise: Custom pricing (depends on deployment scale and number of customers)
- Enterprise customers typically receive discounts ranging from 28% to 74%
- Note: HCP Vault Secrets (SaaS version) was discontinued in mid-2025
Target Users
- DevOps and platform engineering teams
- Enterprises requiring centralized secret management
- Industries with high compliance requirements (finance, healthcare, etc.)
- Cloud-native and Kubernetes environments
Relationship with OpenClaw
- API Key Security: Secure storage of LLM API keys (Anthropic, OpenAI, etc.)
- Dynamic Credentials: Generates temporary credentials for OpenClaw's database connections
- Encryption Services: Encrypts sensitive user data stored by OpenClaw
- Audit Compliance: Logs all secret access activities
For individual users, Vault may be overly complex, making lighter solutions like SOPS or Age more suitable.
Advantages
- Industry-standard secret management solution
- Rich authentication and authorization mechanisms
- Dynamic secrets significantly reduce the risk of leaks
- Extensive ecosystem integration
- IBM support (post-acquisition)
Limitations
- High deployment and operational complexity
- License change from MPL to BSL sparked community controversy
- Overly heavyweight for individuals or small teams
- HCP Vault Secrets (lightweight SaaS version) discontinued
- High cost (Enterprise edition)
Competitor Comparison
| Feature | Vault | AWS Secrets Manager | Infisical | Doppler |
|---|---|---|---|---|
| Self-Hosted | Yes | No | Yes | No |
| Open Source | Partial (BSL) | No | Yes (MIT) | No |
| Dynamic Secrets | Yes | Limited | Limited | No |
| Complexity | High | Low | Medium | Low |
| Price | Free-High | Pay-as-you-go | Free-Medium | Starting at $4/user |
External References
Learn more from these authoritative sources: