HashiCorp Cloud Platform
What is HCP Vault Dedicated?
HCP Vault Dedicated is a hosted version of Vault Enterprise operated by HashiCorp to allow organizations to get up and running quickly. HCP Vault Dedicated uses the same binary as self-hosted Vault Enterprise, which means you will have a consistent user experience. You can use the same CLI, API, and UI to communicate with HCP Vault Dedicated as you use to communicate with a self-hosted Vault Enterprise.
HCP Vault Dedicated clusters can be created on either AWS or Azure across multiple regions across North America, Asia, and Europe. We will support additional cloud providers in the future.
Why HCP Vault Dedicated?
Vault Enterprise running on the HashiCorp Cloud Platform (HCP) enables users to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys within one unified cloud-based platform.
The benefits of HCP Vault Dedicated are:
Reduce operational overhead: Push-button deployment, fully managed upgrades, and backups mean organizations can focus on adoption and integration instead of operational overhead.
Increase security across clouds and machines: Secure your infrastructure across all your environments through a single interface and globally control and restrict access to sensitive data and systems.
Control cost: Reduce the number of systems, licenses, and manual overhead by centralizing secrets management with HCP Vault Dedicated.
Day zero readiness: Modern cloud security to quickly secure applications, access, and data from day zero.
Reliability: HashiCorp has experience supporting thousands of commercial Vault Enterprise clusters and HCP Vault Dedicated brings that expertise directly to users.
Ease of use: HCP Vault Dedicated is built around making cloud security automation simple. Get up and running quickly so that you can onboard applications and teams easily.
Feature parity
Since HCP Vault Dedicated uses the same binary as Vault Enterprise, most enterprise features are available to HCP Vault Dedicated users. Some features such as auto-unseal are managed by HashiCorp to manage the cluster.
The table below compares the features available on the self-managed Vault Enterprise and HCP Vault Dedicated.
Features | Self-managed | HCP Vault Dedicated |
---|---|---|
All community edition features | ✅ | ✅ |
Namespaces | ✅ | ✅ |
Performance replication | ✅ | ✅ |
Paths filter | ✅ | ✅ |
Read replica | ✅ | ✅ |
Disaster Recovery (DR) replication | ✅ | ✅ |
Control groups | ✅ | ✅ |
Sentinel | ✅ | ✅ |
HSM auto-unseal | ✅ | ❌ |
Entropy augmentation | ✅ | ❌ |
FIPS 140-2 & seal wrap | ✅ | ❌ |
KMIP secrets engine | ✅ | ✅ |
Key management secrets engine | ✅ | ✅ |
Transform secrets engine | ✅ | ✅ |
Automatic minor version upgrade | ❌ | ✅ |
Automatic major version upgrade | ❌ | ✅ |
Audit logging by default | ❌ | ✅ |
Snapshots & restore | ❌ | ✅ |
Note
For the self-managed Vault Enterprise clusters, audit logging is a manual configuration. Similarly, if your self-managed Vault Enterprise is running with Integrated Storage, you can configure an automatic data snapshot. However, HCP Vault Dedicated automates the audit logging process.
Resources:
Self-managed vs. HCP Vault Dedicated cluster
Here is a quick comparison between a self-managed Vault Enterprise cluster and an HCP Vault Dedicated cluster.
Cluster Feature | Self-managed | HCP Vault Dedicated |
---|---|---|
Vault Edition | Vault Community Edition or Vault Enterprise | Vault Enterprise |
Storage backend | Choose one and self-manage | Integrated Storage |
Seal | Seal uses Shamir's Secret Sharing algorithm to generate key shares by default. | Auto-unseal is configured. A unique Key Management Service (KMS) key is created for each cluster. |
Vault version | Self-manage the upgrade process | Minor and major versions are upgraded for you automatically. See the Vault Version documentation for more detail. |
Top-level Namespace | root | admin |
Root/admin token | Vault initialization process generates a root token. To regenerate a root token, unseal keys or recovery keys are required. | Click on the Generate token button via HCP Vault Dedicated Portal returns an admin token which is valid for 6 hours. |
Advanced Data Protection (ADP) features | Available with Vault Enterprise license | Available with HCP Vault Dedicated Plus. |
Enterprise Replication | Available with Vault Enterprise license | Performance Replication is available with HCP Vault Dedicated Plus. |
Cluster Scaling | No built in feature to scale the cluster size up or down. | Scale your cluster size dynamically via the HashiCorp Cloud Platform Portal or Terraform. |
Tier Sizing | Not applicable | For information on tier sizing and pricing, see HCP Vault Dedicated Pricing. |
Sentinel and Control Groups | Available with Vault Enterprise license | Available with HCP Vault Dedicated Plus. |
HCP Vault Dedicated on Azure
HCP Vault Dedicated on Azure includes all features found on AWS with the exception of following features which are planned:
- Snapshots retained for 30 days after cluster deletion to support cluster restore
- Oracle Database Secrets Plugin
- KMIP Secrets Engine
Tutorial
Refer to the Getting Started with HCP Vault Dedicated tutorial to get hands-on with HCP Vault Dedicated and set up your managed Vault cluster.
Looking for Vault fundamentals?
Read core Vault documentation and tutorials, including self-hosted docs.
Go to Vault