HashiCorp Cloud Platform
What is HCP Vault Secrets?
HCP Vault Secrets is a SaaS platform which provides secure and simplified workflows for centralizing the storage and managment of secrets such as API keys, database credentials or other sensitive data. Organizations can easily standardize how they protect and manage access to secrets at scale while improving their overall security posture.
Access the quickstart tutorials to learn how to get up and running.
HCP Vault Secrets
Centralized secrets lifecycle management for developers.
Get Started for Free
(opens in new tab)When should I use HCP Vault Secrets?
Whether your organization is just getting started with secrets management or looking to simplify and improve your existing secrets management processes, HCP Vault Secrets can help at any stage. HCP Vault Secrets provides a secure and flexible access control model for organizations to apply principle of least privilge access controls for secret management and access. Combining strong access control and secret lifecycle management through a single platform, organizations can ensure their secrets are protected and can easily be managed to mitigate risk associated with leaked secrets.
Use cases
HCP Vault Secrets supports the following use cases:
- Static secrets management: Centralize management of secrets which can be stored and retrieved as key value pairs
- Auto-rotating Secrets: Automatically manage the rotation of secrets on a set schedule or on-demand as needed
- Dynamic Secrets: Generate unique-per-client, short-lived secrets on demand
- Secrets Sync: Sync secrets to third-party platforms while centralizing lifecycle management
- Workload Identity Federation: Eliminate long-lived credentials in configuration across clients and third-party integrations
Auto-rotating vs. Dynamic Secrets
Auto-rotating and Dynamic Secrets are different strategies for accomplishing the same goal: automating the management of a credential in order to scope down its lifetime and blast radius. While they share the same goal, the workflows for managing their life cycles are different. In short, Dynamic Secrets offer more security while Auto-rotating Secrets are more resilient to the third-party outages and can take advatange of the Secrets Sync feature.
For simplicity the comparisons will focus on a common use case: many copies of a software application running on a compute platform. We will call this application “payments”.
Auto-rotating Secrets
Auto-rotating Secrets are rotated on a schedule in a background job. When a rotation happens, a new credential is stored as the latest active version of the secret. At the same time an older (N - 2) version of the secret becomes inactive. If a secret sync is set up for the parent application, the Auto-rotating secret's values will also be securely synced into the configured third-party destination upon each rotation.
When an instance of the payments application starts up it will pull the latest version of the secret. This secret is shared with any other instance that has accessed the latest credential during the same rotation window. If the credential becomes invalid it will affect many instances of the payments application.
Pre-creating and sharing secrets amongst consumers allows for low latency and less error prone secret retrieval. A temporary outage of our rotation mechanisms or a third-party credential provider will delay new credentials from being created but existing ones will still be active. Since rotation periods are likely to be in the days or months range, auditing historical secret values becomes easier.
Dynamic Secrets
Dynamic Secrets are generated just-in-time upon retrieval. A unique short-lived credential is returned to each requestor. Therefore, every instance of the payments application will have a different credential with a differerent expiration time. Since these credentials cannot be shared, they also cannot be synced to other destinations.
The just-in-time nature of these credentials adds a security benefit -- they are isolated to a single caller and can have a shorter time-to-live. If a credential is leaked it is traceable back to the application instance that requested it, giving additional traceability to forensic investigations.
Compared with Auto-rotating Secrets there may be orders of magnitude more credentials generated and revoked making it harder to audit and store all past historical secret values. Additionally, on-demand credential creation adds latency to the retrieval requests. If the downstream issuing service (provider) has an outage, HCP Vault Secrets may be temporarily unable to mint new secret values.
HCP Vault Secrets vs. HCP Vault Dedicated
HCP Vault Secrets is a multi-tenant, SaaS platform providing teams secure and simplified workflows for secret lifecycle management. Manage and integrate secrets where you need them across your applications and infrastructure.
HCP Vault Dedicated provides single-tenant, managed Vault Enterprise clusters. HCP manages the provisioning, operations, and maintenance of the cluster allowing organizations the flexibility to establish consistent identity based access workflows for secret access and data protection needs.