0Pricing
Cyber Security Academy · Lesson

Vaults and Secret Stores

Centralizing secrets with tools like Vault.

What a Secret Store Solves

A secret store (or vault) is a centralized, hardened service whose only job is to store, control, and audit access to secrets. It replaces the scattered files and env vars that cause sprawl.

A good secrets manager provides four core capabilities:

  • Centralized storage one authoritative source of truth.
  • Access control fine-grained policies on who and what can read each secret.
  • Audit logging a record of every access for incident response.
  • Encryption secrets encrypted at rest and in transit.

Examples include HashiCorp Vault, AWS Secrets Manager, Azure Key Vault, and GCP Secret Manager.

How HashiCorp Vault Is Structured

HashiCorp Vault is a popular open-source secrets manager. It organizes functionality into pluggable secrets engines mounted at paths.

  • KV engine stores static key-value secrets.
  • Database engine generates dynamic, short-lived DB credentials.
  • PKI engine issues TLS certificates on demand.
  • Transit engine encryption as a service without exposing keys.

You interact with Vault over an HTTP API or the CLI. Each path is governed by policies that decide who may read or write there.

# Enable a KV v2 secrets engine at the 'secret/' path
vault secrets enable -path=secret kv-v2

# Write and read a static secret
vault kv put secret/app/db password='S3cr3t' user='app'
vault kv get secret/app/db

All lessons in this course

  1. The Secrets Sprawl Problem
  2. Vaults and Secret Stores
  3. Dynamic Secrets and Leasing
  4. Key Rotation and Detection
← Back to Cyber Security Academy