open-vault/website/source/intro/use-cases.html.markdown

---
layout: "intro"
page_title: "Use Cases"
sidebar_current: "use-cases"
description: |-
  This page lists some concrete use cases for Vault, but the possible use cases are much broader than what we cover.
---

# Use Cases

Before understanding use cases, it's useful to know [what Vault is](/intro/index.html).
This page lists some concrete use cases for Vault, but the possible use cases are
much broader than what we cover.

#### General Secret Storage

At a bare minimum, Vault can be used for the storage of any secrets. For
example, Vault would be a fantastic way to store sensitive environment variables,
database credentials, API keys, etc.

Compare this with the current way to store these which might be
plaintext in files, configuration management, a database, etc. It would be
much safer to query these using `vault read` or the API. This protects
the plaintext version of these secrets as well as records access in the Vault
audit log.

#### Employee Credential Storage

While this overlaps with "General Secret Storage", Vault is a good mechanism
for storing credentials that employees share to access web services. The
audit log mechanism lets you know what secrets an employee accessed and
when an employee leaves, it is easier to roll keys and understand which keys
have and haven't been rolled.

#### API Key Generation for Scripts

The "dynamic secrets" feature of Vault is ideal for scripts: an AWS
access key can be generated for the duration of a script, then revoked.
The keypair will not exist before or after the script runs, and the
creation of the keys are completely logged.

This is an improvement over using something like Amazon IAM but still
effectively hardcoding limited-access access tokens in various places.
website: initial import 2015-03-13 17:34:29 +00:00			`---`
			`layout: "intro"`
			`page_title: "Use Cases"`
			`sidebar_current: "use-cases"`
			`description: \|-`
website: homepage, intro 2015-04-07 01:35:00 +00:00			`This page lists some concrete use cases for Vault, but the possible use cases are much broader than what we cover.`
website: initial import 2015-03-13 17:34:29 +00:00			`---`

			`# Use Cases`

			`Before understanding use cases, it's useful to know [what Vault is](/intro/index.html).`
			`This page lists some concrete use cases for Vault, but the possible use cases are`
website: homepage, intro 2015-04-07 01:35:00 +00:00			`much broader than what we cover.`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`#### General Secret Storage`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`At a bare minimum, Vault can be used for the storage of any secrets. For`
			`example, Vault would be a fantastic way to store sensitive environment variables,`
			`database credentials, API keys, etc.`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`Compare this with the current way to store these which might be`
			`plaintext in files, configuration management, a database, etc. It would be`
			much safer to query these using `vault read` or the API. This protects
			`the plaintext version of these secrets as well as records access in the Vault`
			`audit log.`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`#### Employee Credential Storage`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`While this overlaps with "General Secret Storage", Vault is a good mechanism`
			`for storing credentials that employees share to access web services. The`
			`audit log mechanism lets you know what secrets an employee accessed and`
			`when an employee leaves, it is easier to roll keys and understand which keys`
			`have and haven't been rolled.`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`#### API Key Generation for Scripts`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`The "dynamic secrets" feature of Vault is ideal for scripts: an AWS`
			`access key can be generated for the duration of a script, then revoked.`
			`The keypair will not exist before or after the script runs, and the`
			`creation of the keys are completely logged.`
website: initial import 2015-03-13 17:34:29 +00:00
website: homepage, intro 2015-04-07 01:35:00 +00:00			`This is an improvement over using something like Amazon IAM but still`
			`effectively hardcoding limited-access access tokens in various places.`