Beta

HashiCorp Certified: Vault Associate Certification

Compare and Configure Secrets Engines

Introduction to Secrets Engines

When you check into a hotel, you receive a room key—much like obtaining a token in HashiCorp Vault. Once Authenticated, you can use that token (or key card) to access your room, gym, or spa without returning to the front desk every time.

The image shows a hotel reception scene with two people, one handing over a room key, and a close-up of a keycard with instructions. The title "Vault Interfaces" is at the top.

In Vault, Secrets Engines are like these hotel amenities: they represent the capabilities you want to access once you present a valid token.

The image shows a gym with treadmills, exercise bikes, and fitness equipment, alongside a graphic of a hotel key card with instructions. The text mentions "Vault Interfaces" and includes a cartoon character with sunglasses.

Once your token is validated, you can interact with one or more Secrets Engines without re-authenticating. These engines provide functionality such as storing static credentials, generating dynamic secrets, encrypting data, issuing certificates, and more.

The image illustrates the concept of Vault Secrets Engines, showing how vault clients use tokens to access various secrets engines like Kubernetes, databases, and cloud services. It includes icons representing different components such as KV, PKI, and Transit.

Note

Secrets Engines are the primary reason to deploy Vault. They deliver on Vault’s promise: centralized, dynamic, and secure management of sensitive information.

What Are Secrets Engines?

A Secrets Engine is a plugin-style component in Vault that you enable at a specific mount path. Each engine can:

  • Store static key/value data
  • Generate dynamic credentials on demand
  • Encrypt/Decrypt data (via the Transit engine)
  • Issue certificates (via the PKI engine)

You can enable multiple engines—including multiple instances of the same type—by assigning unique mount paths.

The image is a slide about "Secrets Engines," explaining their role in storing, generating, or encrypting data, and highlighting their functionality as plugins in Vault. It also mentions that secrets engines are enabled and isolated at a unique path.

Defining a Secret

A secret is any piece of data your organization considers sensitive:

  • Usernames and passwords
  • API keys, tokens, or SSH credentials
  • TLS certificates and private keys
  • Database credentials
  • Application configuration files

The image explains what constitutes a secret within an organization, listing examples like usernames, passwords, TLS certificates, API keys, database credentials, and application data.

Vault treats secrets as a service. You generate, manage, and revoke them on demand, backed by leases and audit trails:

  • Dynamic Credentials: Unique, short-lived credentials reduce blast radius.
  • Automatic Revocation: Secrets expire at the end of their lease.
  • Audit Trails: Full visibility into who accessed what and when.

Scenario: A fleet of web servers requests dynamic database credentials from Vault. If one server is compromised, only its credentials are affected. You can pinpoint and revoke its credentials without impacting others.

The image is an infographic titled "Secrets as a Service," explaining how to use Vault to manage credentials, with features like automatic revocation, audit trails, and access control. It includes a flowchart showing the process from a Vault Admin to an Amazon S3 Bucket.

Dynamic Credentials Workflow

  1. Application Request
    The web app requests AWS credentials from Vault’s AWS Secrets Engine.
  2. Credential Generation
    Vault dynamically creates IAM credentials tied to a lease.
  3. Use of Credentials
    The application uses these to access AWS services (e.g., S3).
  4. Automatic Revocation
    Credentials expire and are revoked at the end of their lease.

On the admin side, you typically run:

vault secrets enable aws
vault write aws/config/root \
    access_key=<YOUR_ACCESS_KEY> secret_key=<YOUR_SECRET_KEY> region=us-west-2
vault write aws/roles/app-role \
    [email protected] \
    ttl=60m

Built-In Secrets Engines

Vault includes a broad set of engines by default. Select and enable the ones you need:

CategoryExamples
Cloud PlatformsAWS, Azure, Google Cloud, Alibaba Cloud
DatabasesMySQL, PostgreSQL, MongoDB, Oracle, Cassandra, Snowflake
Identity & AccessActive Directory, Consul, OpenLDAP, Cubbyhole
Key ManagementAWS KMS, Azure Key Vault, GCP KMS, (Enterprise Only) KMIP
Encryption & CertificatesTransit, Transform (Enterprise Only), PKI, Venafi
UtilitiesSSH, TOTP, Terraform Cloud

The image lists various "Secrets Engines" in colorful boxes, including services like AWS, Google Cloud, and MongoDB Atlas. It features a stylized character in the bottom right corner.

Key/Value (KV) Secrets Engine

Use the KV engine to store static data.

  • KV v1: Overwrites on write; no history.
  • KV v2: Versioned store; supports history and rollback.

The image is a diagram titled "Secrets Engines" showing a flow from "KV" to "Key/Value – Version 1" and "Key/Value – Version 2." It includes a small character illustration in the bottom right corner.

Database Secrets Engine

Dynamically generate database credentials for many backends:

  • Cassandra, Couchbase, Elasticsearch, HANA DB, InfluxDB
  • MongoDB, Microsoft SQL Server, MySQL/MariaDB (Aurora, RDS)
  • Oracle, PostgreSQL, Redshift, Snowflake
  • Custom database plugins

The image is a diagram titled "Secrets Engines" showing a list of database types, including Cassandra, MongoDB, PostgreSQL, and others, connected to a "Database" label.

Warning

Key Management and Transform engines are Enterprise Only. Ensure your Vault license includes these features before enabling.

Grouping Secrets Engines by Function

The image lists various "Secrets Engines" grouped by function, including cloud services, databases, identity management, and encryption tools. It features icons representing each category and a pixelated design on the right side.

  • Cloud Platforms: AWS, Azure, GCP, Alibaba
  • Databases: SQL/NoSQL backends
  • Identity/Access: Active Directory, Consul, OpenLDAP, Cubbyhole
  • Security & Encryption: KMIP, PKI, Transit, Transform, Venafi
  • Storage: KV v1 & v2

Overview of Built-In Engines

The image describes different secrets engines and their functions, including Active Directory, AliCloud, AWS, Azure, and Consul, each with a brief explanation of their credential management capabilities.

  • Active Directory
    Rotate service account passwords; Vault requires a service account for rotation.
  • Cloud (AWS/Azure/GCP)
    Dynamic cloud credentials for resource access.
  • Consul
    Issue ACL tokens programmatically.
  • Cubbyhole
    Token-scoped private storage space.
  • Database
    On-demand DB credentials.
  • KMIP (Enterprise)
    Vault acts as a KMIP server for storage encryption.
  • KV (v1/v2)
    Simple vs. versioned key/value storage.
  • Identity
    Built-in identity and group management.
  • MongoDB Atlas, Nomad, OpenLDAP
    Platform-specific credential generators.
  • PKI
    Vault as a Certificate Authority for TLS/mTLS.
  • RabbitMQ, SSH, TOTP, Terraform Cloud
    Short-lived credentials and tokens.
  • Transit
    Encryption-as-a-service; stateless crypto API.
  • Transform (Enterprise)
    Data tokenization and masking.
  • Venafi
    Certificate issuance via Venafi integration.

The image is a slide titled "Secrets Engines" that explains the functions of different secrets engines like Cubbyhole, Database, Google Cloud, Google Cloud KMS, and Key Management. Each engine's purpose is briefly described, focusing on data storage, credential generation, and key management.

The image is an informational graphic about different "Secrets Engines" in Vault, describing their functions such as KMIP, KV, Identity, MongoDB Atlas, and Nomad. Each engine is briefly explained with its specific role and capabilities.

The image describes different secrets engines and their functions, including OpenLDAP, PKI, RabbitMQ, SSH, and Terraform Cloud. Each engine is associated with specific tasks like managing credentials, generating certificates, and providing secure authentication.

Next Steps

You’ve learned the core concepts and built-in Secrets Engines in Vault. In the following sections, we’ll dive into configuration examples, best practices, and real-world use cases for each engine.

References

Watch Video

Watch video content

Previous
Static vs
Next
Working with a Secrets Engine