Every modern system depends on secrets — database passwords, API keys, TLS private keys, cloud credentials, signing keys, OAuth client secrets, service account tokens. How a team manages these secrets determines its security posture more than any other single decision.
The Secret Sprawl Problem
In a typical company without a secrets strategy, you find credentials in:
- Source code (committed by accident, then "forgotten")
.envfiles on developer laptops- Kubernetes Secrets (base64-encoded plaintext in etcd)
- CI/CD environment variables
- Slack messages, wikis, sticky notes
- Old infrastructure-as-code modules
- Browser-saved passwords
GitHub's own 2024 transparency report counted 13 million secrets pushed to public repos in one year. The Verizon DBIR consistently identifies stolen credentials as the leading cause of breaches.
What Centralised Secrets Management Solves
| Problem | Solution |
|---|---|
| "Who has access to this DB password?" | Policies — answer is auditable |
| "This developer left — what do we rotate?" | Revoke their tokens; rotate the secrets they could see |
| "Has any prod credential leaked?" | Audit log shows every access |
| "How do we rotate the DB password without downtime?" | Vault rotates and apps pull the new value |
| "How do CI runners get cloud creds securely?" | Short-lived dynamic credentials |
The Landscape
| Tool | Best for |
|---|---|
| HashiCorp Vault | Multi-cloud, on-prem, complex policy, dynamic secrets |
| AWS Secrets Manager / Parameter Store | All-in on AWS |
| Azure Key Vault | Azure-centric workloads |
| GCP Secret Manager | GCP-centric workloads |
| Doppler / 1Password Secrets Automation | Smaller teams; SaaS only |
| Sealed Secrets (Bitnami) | GitOps for Kubernetes — encrypted secrets in Git |
| External Secrets Operator | Bridges Kubernetes to any of the above |
This course focuses on Vault because it is the broadest tool — what you learn here transfers conceptually to every other vault.
What Makes Vault Different
Traditional vaults (the cloud-specific ones) are essentially encrypted key-value stores: put a value in, get a value out, with audit. Vault does that — and four more things:
1. Dynamic secrets
Vault generates a fresh, short-lived database credential per application instance, on demand. When the lease ends, Vault revokes the credential. If a credential leaks, the blast window is minutes, not months.
2. Encryption-as-a-service (Transit)
Vault becomes an encryption oracle: your app sends plaintext and gets ciphertext; sends ciphertext and gets plaintext. The app never sees the encryption key. Rotating the key happens centrally.
3. Pluggable auth methods
Authenticate via 20+ methods: AppRole (machine-to-machine), Kubernetes (service account tokens), AWS IAM (instance metadata), OIDC (humans via SSO), JWT, LDAP, etc.
4. Identity-driven policies
Policies are expressed as HCL — fine-grained access control per path, per operation. The identity that authenticated determines what they can read or write.
The Zero-Trust Connection
Zero-trust architecture rests on three pillars:
- Verify identity on every request
- Least privilege — minimum access required for the task
- Short-lived credentials — so theft has a small blast radius
Vault is purpose-built for all three. Modern reference architectures (BeyondCorp, the NIST 800-207 zero-trust guidance) explicitly call out centralised secrets management as foundational.
The Cost of NOT Doing This
| Breach class | Median cost (IBM Cost of a Data Breach 2024) |
|---|---|
| Compromised credentials | $4.45M USD |
| Phishing | $4.76M USD |
| Stolen / leaked secrets in source code | Often the entry vector for the above |
The investment required to deploy and operate Vault is, by orders of magnitude, smaller than the expected loss of a single credential-driven breach.
What This Course Covers
The next seven lessons walk through Vault end-to-end:
- Architecture: how Vault stores and protects data
- Authentication: how clients prove who they are
- Policies: how access is granted
- Static and dynamic secret engines
- Encryption-as-a-service via Transit
- Operations: unsealing, HA, DR
- Real-world integrations: K8s, AWS, CI/CD
By the end you will have the conceptual fluency to pass the Vault Associate (003) exam and the practical knowledge to deploy Vault in production. Let's start with how Vault actually works.