Vault | Awesome Repos

hashicorpvault

35,796 stars4,699 forksGo9 viewsdeveloper.hashicorp.com/vault

Vault

Vault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads.

What distinguishes Vault is its ability to generate dynamic, short-lived credentials on-demand for databases and cloud providers, which are automatically revoked upon lease expiration to minimize security exposure. The platform also functions as an encryption-as-a-service provider, allowing applications to offload data protection, tokenization, and key management tasks to a centralized interface. Its modular architecture is supported by an extensible plugin system that uses remote procedure calls to integrate new functionality without requiring modifications to the primary codebase.

Beyond core secret handling, the platform offers comprehensive certificate lifecycle automation, including the generation, storage, and rotation of security certificates to maintain encrypted communication channels. It supports high-availability deployments through a distributed consensus protocol that synchronizes state across clusters and automatically forwards requests to the active leader node. The system also integrates with hardware security modules for enhanced key protection and maintains detailed audit logs to support regulatory compliance requirements.

Users interact with the platform through a command-line interface that supports API endpoint invocation, environment variable configuration, and shell autocompletion for operational tasks.

Features

Secrets Management Platforms - Acts as a centralized platform to secure, store, and control access to all infrastructure secrets.
Centralized Secrets Management - Centralizes the storage and management of sensitive credentials to eliminate hardcoded secrets.
Cryptographic Sealing Mechanisms - Provides a master key mechanism to encrypt internal storage, requiring an explicit unseal process to access data.
Dynamic Secret Engines - Integrates with external providers to create short-lived, just-in-time credentials that are automatically destroyed after use.
Identity-Based Access Control - Centralizes identity providers to manage granular permissions and enforce consistent security policies across distributed infrastructure.
Secret Storage - Stores and retrieves sensitive data like API keys and passwords in a centralized, encrypted location.
Certificate Lifecycle Management - Automatically generates, stores, and rotates security certificates to maintain encrypted communication channels.
Cloud Credential Management - Generates dynamic cloud service principals with automatic rotation and lease-based revocation.
Dynamic Credential Provisioning - Generates short-lived, automatically rotated credentials to minimize the impact of potential security breaches.
Encryption-as-a-Service - Provides a cryptographic layer for data protection, tokenization, and key management without requiring complex local implementation.
Identity-Based Access Brokers - Verifies identities to issue short-lived, dynamic credentials across heterogeneous environments.
Plugin Architectures - External binaries communicate with the core system via remote procedure calls to extend functionality without modifying the primary codebase.
Distributed Consensus Protocols - Coordinates nodes through a distributed consensus protocol to maintain a consistent, replicated state across a high-availability cluster.
Database Credential Management - Rotates database passwords automatically and generates unique, short-lived credentials on-demand.
Dynamic Credential Providers - Provides on-demand generation and rotation of temporary access permissions for external databases and cloud services.
Hardware Security Module Integrations - Connects to hardware security modules to protect master keys and enable automated system unsealing.
Lease Management Systems - Associates all generated credentials and secrets with time-bound leases that trigger automatic revocation or renewal.
Secret Retrieval Interfaces - Enables applications to securely fetch required credentials from protected storage without exposing them.
Sensitive Data Access Controls - Enforces granular access controls on sensitive data through programmatic and command-line interfaces.
Secret Management - Centralized management for tokens, passwords, and encryption keys.
Secrets Management - Centralized secrets management and encryption platform.
Security and Compliance - Secrets management and data protection tool.
Security And Hardening - Tool for managing and accessing sensitive secrets.
Security And Privacy - Secrets management and encryption service.
High-Availability Request Routing - Automatically redirects client requests to the active leader node to ensure consistent state management in distributed environments.
Encryption Key Management - Centralizes the distribution and lifecycle management of cloud-based encryption keys.
Secret Storage Engines - Provides secure, encrypted storage for sensitive key-value pairs to prevent hardcoding secrets.
Workload Identity Federation - Exchanges internal identity tokens for short-lived cloud credentials to enable secure cross-platform authentication.
Server Operational Management - Defines core operational behavior including storage backends, network listeners, and user lockout policies.
Storage Abstraction Layers - Provides a pluggable storage interface that decouples core logic from the underlying persistence layer.
Cluster Configuration Management - Defines cluster communication addresses and node behavior to ensure continuous service availability.
Centralized Identity Management - Consolidates multiple authentication providers to manage access policies from a single location.
Data Encryption Services - Encrypts and decrypts external data using a centralized service to simplify security management.
Distributed Security Clusters - Ensures consistent policy enforcement and high availability through a synchronized distributed security architecture.
Enterprise Configuration Management - Manages advanced operational settings including performance standby nodes, license paths, and administrative namespaces.
Plugin Architectures - Uses a modular architecture where external binaries extend core functionality without modifying the primary codebase.
Authentication Helpers - Verifies user identity and utilizes custom token helpers to manage cached access credentials securely.
Data Tokenization - Transforms sensitive input into secure, stateful tokens using cryptographic standards.
OIDC Identity Token Issuance - Issues OIDC identity tokens to applications, enabling authentication based on internal roles and custom claims.
Regulatory Compliance Tools - Provides centralized audit logging and policy enforcement to maintain regulatory compliance for sensitive data.

Open-source alternatives to Vault

Similar open-source projects, ranked by how many features they share with Vault.

stackexchange/blackbox
StackExchange/blackbox
6,768View on GitHub
Blackbox is a GPG secret management tool and asymmetric encryption wrapper used to securely store and share sensitive files within version control systems like Git, Mercurial, or Subversion. It functions as a version control secret store that encrypts files for safe storage at rest while allowing authorized users and machines to decrypt them. The system distinguishes itself by integrating directly with version control to provide plaintext diff and log visualization of encrypted files. It supports multi-recipient encryption and automated secret decryption via passphrase-less GPG subkeys, enabl
Go
View on GitHub6,768
openbao/openbao
openbao/openbao
6,433View on GitHub
OpenBao is a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys.
Gogosecret-managementsecurity
View on GitHub6,433
octelium/octelium
octelium/octelium
3,371View on GitHub
Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration,
Goabacai-gatewayapi-gateway
View on GitHub3,371
infisical/infisical
Infisical/infisical
27,374View on GitHub
Infisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports
TypeScriptacmecertificate-managementcli
View on GitHub27,374

See all 30 alternatives to Vault

Vault

Features

Open-source alternatives to Vault

StackExchange/blackbox

openbao/openbao

octelium/octelium

Infisical/infisical

Star history

Open-source alternatives to Vault

StackExchange/blackbox

openbao/openbao

octelium/octelium

Infisical/infisical