Learn secrets management with HCP Vault Secrets

HCP Vault Secrets enables development teams to centralize their secrets management and set up a unified view of their secrets and applications in minutes, while still maintaining their development workflows with their existing cloud secrets managers, CI systems, and deployment services.

The transition from conventional on-premises datacenters and environments to dynamic, cloud infrastructure is complex and introduces new security challenges.

• Secrets sprawl: Organizations that use multiple secrets management tools increase their risk of a breach due to secret sprawl across different systems, files, and repositories.

• Operational overhead: Organizations that manually manage workflows for secrets management spend time managing the deployment, updates, scale, reliability, security, compliance, and support for the rest of the teams in the organization.

• Capabilities to deliver security automation: As organizations scale their secrets management workflow they will look to manage the complete lifecycle of secrets and sensitive data, requiring advanced capabilities, integrations, and support.

HCP Vault Secrets provides a fast solution to those challenges, and protect sensitive data.

How different from HCP Vault Dedicated?

HashiCorp offers self-managed Vault (Vault Community Edition, and Vault Enterprise) as well as HCP Vault Dedicated. HCP Vault Dedicated is a fully managed implementation of Vault Enterprise. It reduces operational overhead compared to a self-managed Vault Enterprise cluster since HashiCorp manages the deployment and Vault updates for you. However, you still need to perform administrative tasks such as creating policies, enabling authentication methods, and enabling secrets engines before writing secrets.

HCP Vault Secrets is a multi-tenant SaaS offering. Organizations do not have to run or manage secrets management systems. HashiCorp manages the deployment, updates, scale, reliability, security, compliance, and support of HCP Vault Secrets.

Concepts and terms

• Project: Projects are part of the HashiCorp Cloud Platform (HCP) resource hierarchy where you define applications.

• Application: You create and manage secrets in applications. Applications can contain different secret types.

• Secrets: Secrets are sensitive data (i.e. credentials) your organization must protect.

In this series of tutorials, you will create, read, and manage secrets using HCP Vault Secrets.

Secret types

HCP Vault Secrets offers different types of secrets to support various use cases.

Static secrets

Static secrets are manually manged by an organization. Vendors may not support auto-rotation or dynamic secrets. HCP Vault Secrets securely stores static secrets, and versions of the secrets when they are manually updated.

Dynamic secrets

Dynamic secrets are created just-in-time by an issuing service when integrated with HCP Vault Secrets. When issued, the dynamic secret has a predefined lifetime, called a time-to-live (TTL). HCP Vault Secrets returns the unique credential to the requester along with a unique identifier that allows the secret to be audited, and revoked early if supported.

Dynamic secrets are useful for ephemeral workloads in environments with stringent security requirements such as cloud deployments or microservices architectures. They are also useful for time-bound workloads such as Kubernetes CronJobs or Terraform runs.

Auto-rotated secrets

Auto-rotated secrets allow organizations to ensure that static credentials are not long lived. With a supported provider, HCP Vault Secrets can automate the rotation of secrets that are otherwise static, such as vendor API keys.

Auto-rotated secrets are well suited for more static or critical workloads where frequent restarts can cause performance issues or outages. An example would be a long-lived workload or application that requires continuous access to a database or cannot handle credential updates without restarts.

Next steps

In the next section, you will learn how to manage permissions for HCP Vault Secrets.