HashiCorp Vault

AWS Secrets Manager is managed (no ops overhead, automatic rotation, AWS-only), costs ~$0.40/secret/month. Vault is self-hosted (max control, multi-cloud, dynamic credentials, audit trails), free but requires ops. Use Secrets Manager if: AWS-only stack, startup, minimal ops team. Use Vault if: multi-cloud, strict audit/compliance, dynamic secrets, K8s-native workloads, or self-hosted is a requirement. Larger orgs often use both: Vault for internal identity + Secrets Manager for AWS-specific secrets.

Doppler and Infisical are managed (SaaS), easier UX, built for developers. Vault is self-hosted open-source (maximum control, zero vendor lock-in). Doppler costs $7-30/user/month, Infisical ~$50-200/month. Vault: free (self-hosted), paid support. Pick Doppler/Infisical for small teams wanting zero ops. Pick Vault for enterprises, compliance-heavy orgs, or multi-cloud mandates. Bitwarden Secrets Bridge (2024) = middle ground but still proprietary.

In Aug 2023, HashiCorp switched from Mozilla Public License 2.0 to Business Source License (BSL) for new versions, prohibiting commercial use without a paid license. IBM acquired OpenBao fork (Oct 2024, now CNCF sandbox) as a drop-in open-source alternative. Most enterprises stay on Vault <1.15 (MPL) or migrate to OpenBao. Cloud providers (AWS, Azure, GCP) continue supporting Vault. Vault 1.16+ requires payment for anything beyond dev/hobby. Impact: if your company mandates open-source-only, evaluate OpenBao (slower release cycle but fully free).

Dynamic secrets auto-generate short-lived credentials on-demand (vs static secrets that live forever). Vault includes: Database engine (MySQL, PostgreSQL, MongoDB, Oracle — auto-rotate DB passwords), AWS engine (auto-generate IAM credentials), SSH engine (one-time SSH keys), PKI engine (certificates). Use dynamic for: database credentials (TTL 1h), API keys (15min), SSH access (5min). Result: compromised credentials expire automatically, credential rotation happens without human intervention. Prevents credential hoarding. Setup: ~20 min per database, huge security lift.

KV v1 is deprecated (simple key-value). KV v2 is the standard (versioning, soft/hard deletes, check-and-set operations). Use v2 for new installs. Both work fine, but v2 prevents accidental overwrites and enables audit trails per version. Migration: `vault kv put secret/data/foo bar=baz` (v2 requires /data/). v1 → v2 migration path exists but manual. Recommendation: v2 only, enable versioning from day one.

Vault at rest is encrypted, sealed (locked). Auto-unseal uses a key management service (AWS KMS, Azure Key Vault, GCP Cloud KMS, or HashiCorp Cloud Platform) to automatically decrypt the master key on startup (vs manual `vault unseal` requiring 3 of 5 keys). For: production (availability, disaster recovery, Kubernetes), use auto-unseal (1-2 min setup in Terraform). For: dev, use Shamir keys (3/5 keysplitting, educational). Cost: ~$0.03-0.10 per unseal call with AWS KMS. K8s + auto-unseal = seamless restarts.

Vault Agent Injector (K8s webhook) auto-injects secrets into pod filesystems via init containers. Pod spec: add `vault.hashicorp.com/agent-inject=true` annotation + paths like `vault.hashicorp.com/agent-inject-secret-database=/vault/secrets/db`. Agent fetches secret, renders to file (/vault/secrets/db), refreshes before TTL expires. No SDK changes needed, works with any language. Alternative: external-secrets-operator (CNCF) syncs Vault → K8s Secrets. Sidecar injection is the standard; external-secrets is backup if you prefer K8s native API objects.

Vault logs every API call (auth, reads, writes, deletions) with timestamp, user, action, path, result. Enable file/syslog/splunk audit backends. Immutable audit trail critical for: SOC2 (compliance), HIPAA (healthcare), PCI-DSS (payments), internal forensics. Logs survive Vault restart (separate backend). Recommendation: enable audit logging on day one, review quarterly, integrate with SIEM (Splunk/ELK). Cost: ~5-10% storage overhead. Regulatory sign-off often requires proving that Vault logs your secrets access.