HashiCorp Vault
HashiCorp Vault is an identity-based secrets and encryption management system, launched in 2015. Vault centrally manages secrets (API keys, passwords, certificates) with dynamic secrets generation, encryption as a service, and fine-grained access control. As of October 2025, Vault is the industry standard for secrets management, used by Fortune 500 companies for protecting sensitive data in cloud and on-premise environments. For AI systems: Secure LLM API keys, manage database credentials, rotate secrets automatically, audit all access. Key features: Dynamic secrets, secret versioning, encryption APIs, PKI certificate management, Kubernetes integration. Open source (MPL 2.0) with enterprise features (HSM, DR replication, namespaces).
Overview
Vault addresses secrets sprawl: hardcoded credentials, environment variables, config files. Solution: Centralized secrets storage with encryption at rest (AES-256-GCM), access control (policies), audit logging, and dynamic secrets. Dynamic secrets: Vault generates short-lived credentials on-demand (database passwords valid for 1 hour, AWS keys for 15 minutes). Benefits: Reduced attack surface, automatic rotation, audit trail. For AI: Store OpenAI/Anthropic API keys securely, generate temporary database credentials for training data access, encrypt PII before storing in vector databases, manage TLS certificates for LLM serving endpoints. Vault integrates with Kubernetes, AWS, GCP, Azure for seamless secrets injection.
Key Features
- Dynamic secrets: Generate short-lived credentials automatically
- Secret versioning: Track changes, rollback to previous versions
- Encryption as a service: Encrypt/decrypt data without storing keys
- Leasing & renewal: All secrets have TTL, automatic rotation
- Audit logging: Comprehensive audit trail of all operations
- Access policies: Fine-grained ACL with path-based permissions
- Multiple auth methods: Token, LDAP, GitHub, Kubernetes, AWS IAM
- Secrets engines: KV store, databases, AWS, PKI, SSH, transit encryption
Code Example
# HashiCorp Vault Python client
import hvac
# Initialize client
client = hvac.Client(
url='http://localhost:8200',
token='your-vault-token'
)
# Store static secret (e.g., OpenAI API key)
client.secrets.kv.v2.create_or_update_secret(
path='ai/openai',
secret={
'api_key': 'sk-proj-...',
'org_id': 'org-...'
}
)
# Read secret
secret = client.secrets.kv.v2.read_secret_version(path='ai/openai')
openai_key = secret['data']['data']['api_key']
# Use in OpenAI client
from openai import OpenAI
openai_client = OpenAI(api_key=openai_key)
# Dynamic database credentials
# Configure Vault to generate Postgres credentials
# vault write database/config/my-postgres-db \
# plugin_name=postgresql-database-plugin \
# connection_url="postgresql://{{username}}:{{password}}@localhost:5432/mydb"
# Generate temporary DB credentials
creds = client.secrets.database.generate_credentials('my-postgres-db')
db_username = creds['data']['username'] # e.g., v-token-my-role-8h3kj2
db_password = creds['data']['password']
lease_duration = creds['lease_duration'] # 3600 seconds
print(f"DB user: {db_username}, valid for {lease_duration}s")
# Use temporary credentials
import psycopg2
conn = psycopg2.connect(
host="localhost",
database="mydb",
user=db_username,
password=db_password
)
# Encryption as a service (Transit engine)
# Encrypt PII before storing
plaintext = "user@example.com"
encrypted = client.secrets.transit.encrypt_data(
name='my-key',
plaintext=plaintext
)
ciphertext = encrypted['data']['ciphertext'] # vault:v1:8SDd3WHDOjf...
# Decrypt when needed
decrypted = client.secrets.transit.decrypt_data(
name='my-key',
ciphertext=ciphertext
)
original = decrypted['data']['plaintext']
# Kubernetes integration (auto-inject secrets)
# apiVersion: v1
# kind: Pod
# metadata:
# annotations:
# vault.hashicorp.com/agent-inject: "true"
# vault.hashicorp.com/agent-inject-secret-openai: "secret/ai/openai"
# vault.hashicorp.com/role: "my-app"
# spec:
# serviceAccountName: my-app
# containers:
# - name: app
# image: myapp:latest
# # Secrets available at /vault/secrets/openaiVault for AI Systems
- LLM API keys: Store OpenAI, Anthropic, Cohere keys securely
- Training data access: Dynamic DB credentials for accessing training datasets
- Model serving: Inject secrets into serving containers (Kubernetes sidecar)
- PII encryption: Use transit engine to encrypt sensitive data before storage
- Certificate management: TLS certs for LLM API endpoints (auto-renewal)
- Multi-cloud: Manage credentials across AWS, GCP, Azure consistently
- Audit compliance: Meet GDPR/SOC2 requirements with comprehensive audit logs
- Secret rotation: Automatically rotate API keys, DB passwords on schedule
Vault vs Alternatives
AWS Secrets Manager: AWS-native, simpler but less flexible, $0.40/secret/month. Azure Key Vault: Azure-native, integrated with Azure AD, $0.03/10K operations. Google Secret Manager: GCP-native, good for GCP workloads, $0.06/10K operations. HashiCorp Vault: Multi-cloud, most features (dynamic secrets, encryption service), steeper learning curve, free (OSS) or $150+/month (Enterprise). Choose Vault for: Multi-cloud deployments, advanced features (dynamic secrets, encryption as a service), compliance requirements. Choose cloud-native for: Single-cloud deployments, simpler setup, managed service preference.
Professional Integration Services by 21medien
21medien offers Vault implementation services including architecture design, policy configuration, secrets migration, Kubernetes integration, and compliance setup. Our team specializes in securing AI systems with Vault: API key management, dynamic credentials for data access, encryption for PII, and audit logging. Contact us for Vault deployment and secrets management consulting.
Resources
Official website: https://www.vaultproject.io | Documentation: https://developer.hashicorp.com/vault | GitHub: https://github.com/hashicorp/vault | Learning: https://learn.hashicorp.com/vault