2015-03-13 17:34:29 +00:00
|
|
|
---
|
2020-01-18 00:18:09 +00:00
|
|
|
layout: docs
|
|
|
|
page_title: Introduction
|
|
|
|
sidebar_title: What is Vault?
|
|
|
|
description: >-
|
|
|
|
Welcome to the intro guide to Vault! This guide is the best place to start
|
|
|
|
with Vault. We cover what Vault is, what problems it can solve, how it
|
|
|
|
compares to existing software, and contains a quick start for using Vault.
|
2015-03-13 17:34:29 +00:00
|
|
|
---
|
|
|
|
|
|
|
|
# Introduction to Vault
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
Welcome to the introduction guide to HashiCorp Vault! This guide is the best
|
|
|
|
place to get started with Vault. This guide covers what Vault is, what problems
|
|
|
|
it can solve, how it compares to existing software, and contains a quick start
|
|
|
|
for using Vault.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
|
|
|
If you are already familiar with the basics of Vault, the
|
2020-01-22 20:05:41 +00:00
|
|
|
[documentation](/docs) provides a better reference guide for all
|
2017-09-13 01:48:52 +00:00
|
|
|
available features as well as internals.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
|
|
|
## What is Vault?
|
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
Vault is a tool for securely accessing _secrets_. A secret is anything that you
|
|
|
|
want to tightly control access to, such as API keys, passwords, or certificates.
|
|
|
|
Vault provides a unified interface to any secret, while providing tight access
|
|
|
|
control and recording a detailed audit log.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
2017-09-13 01:48:52 +00:00
|
|
|
A modern system requires access to a multitude of secrets: database credentials,
|
|
|
|
API keys for external services, credentials for service-oriented architecture
|
|
|
|
communication, etc. Understanding who is accessing what secrets is already very
|
|
|
|
difficult and platform-specific. Adding on key rolling, secure storage, and
|
|
|
|
detailed audit logs is almost impossible without a custom solution. This is
|
|
|
|
where Vault steps in.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
|
|
|
Examples work best to showcase Vault. Please see the
|
2020-03-31 19:21:16 +00:00
|
|
|
[use cases](/docs/use-cases).
|
2015-03-13 17:34:29 +00:00
|
|
|
|
|
|
|
The key features of Vault are:
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- **Secure Secret Storage**: Arbitrary key/value secrets can be stored
|
2015-04-07 01:35:00 +00:00
|
|
|
in Vault. Vault encrypts these secrets prior to writing them to persistent
|
|
|
|
storage, so gaining access to the raw storage isn't enough to access
|
2016-01-14 18:42:47 +00:00
|
|
|
your secrets. Vault can write to disk, [Consul](https://www.consul.io),
|
2015-04-07 01:35:00 +00:00
|
|
|
and more.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- **Dynamic Secrets**: Vault can generate secrets on-demand for some
|
2015-04-07 01:35:00 +00:00
|
|
|
systems, such as AWS or SQL databases. For example, when an application
|
|
|
|
needs to access an S3 bucket, it asks Vault for credentials, and Vault
|
|
|
|
will generate an AWS keypair with valid permissions on demand. After
|
|
|
|
creating these dynamic secrets, Vault will also automatically revoke them
|
|
|
|
after the lease is up.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- **Data Encryption**: Vault can encrypt and decrypt data without storing
|
2015-04-17 19:01:20 +00:00
|
|
|
it. This allows security teams to define encryption parameters and
|
|
|
|
developers to store encrypted data in a location such as SQL without
|
|
|
|
having to design their own encryption methods.
|
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- **Leasing and Renewal**: All secrets in Vault have a _lease_ associated
|
2016-07-06 14:02:52 +00:00
|
|
|
with them. At the end of the lease, Vault will automatically revoke that
|
2015-04-07 01:35:00 +00:00
|
|
|
secret. Clients are able to renew leases via built-in renew APIs.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
2020-01-18 00:18:09 +00:00
|
|
|
- **Revocation**: Vault has built-in support for secret revocation. Vault
|
2015-04-07 01:35:00 +00:00
|
|
|
can revoke not only single secrets, but a tree of secrets, for example
|
|
|
|
all secrets read by a specific user, or all secrets of a particular type.
|
|
|
|
Revocation assists in key rolling as well as locking down systems in the
|
|
|
|
case of an intrusion.
|
2015-03-13 17:34:29 +00:00
|
|
|
|
|
|
|
## Next Steps
|
|
|
|
|
2020-05-07 22:24:08 +00:00
|
|
|
See the page on [Vault use cases](/docs/use-cases) to see the multiple ways
|
|
|
|
Vault can be used. Then, continue onwards with the [getting started
|
|
|
|
guide](https://learn.hashicorp.com/vault/getting-started/install) to use Vault
|
|
|
|
to read, write, and create real secrets and see how it works in practice.
|