Home Guides Tests Games Pathway Foss Blog

SECURE YOUR
SECRETS

// The secrets vault for cloud-native.

VAULT CHANGED HOW WE MANAGE SECRETS.

Every application needs secrets—API keys, database passwords, certificates. Vault centralizes all of this with fine-grained access control, automatic rotation, and audit logging. No more hardcoded credentials in config files.

WHY VAULT?

Vault uses dynamic secrets—credentials generated on-demand with automatic expiration. It handles encryption, PKI certificates, and integrates with Kubernetes, AWS, and more. Security without complexity.

YOUR SECRETS DESERVE BETTER.

Learn Vault from the ground up. Master KV secrets, dynamic credentials, policies, and enterprise features. Stop storing secrets in git. Start using Vault.

BEGIN YOUR JOURNEY →

// The Path to Vault Mastery

10 lessons. Complete secrets management.

LESSON 01

Introduction to Vault

What is Vault and why secrets management matters

Beginner
LESSON 02

Installation & Setup

Install Vault and start dev server

Beginner
LESSON 03

KV Secrets Engine

Store and retrieve secrets

Beginner
LESSON 04

Policies & Auth

Control access with policies

Beginner
LESSON 05

Dynamic Secrets

Generate credentials on-demand

Intermediate
LESSON 06

PKI & Certificates

Manage TLS certificates

Intermediate
LESSON 07

Transit Secrets

Encryption as a service

Intermediate
LESSON 08

Kubernetes Integration

Vault Agent and K8s auth

Intermediate
LESSON 09

Auditing

Track all Vault operations

Advanced
LESSON 10

High Availability

Scale Vault in production

Advanced

// Why Vault

Vault was created by HashiCorp and open-sourced in 2015. It became the standard for secrets management, with over 50 million downloads and adoption by Fortune 500 companies worldwide.

Before Vault, secrets were scattered—hardcoded in apps, stored in config files, or worse, in git. Vault provides a centralized, audited, and secure home for all your sensitive data.

Vault's key innovation is dynamic secrets. Instead of static passwords, Vault generates short-lived credentials for databases, AWS, and more. When a lease expires, the credentials are automatically revoked. This reduces the blast radius of any compromise.

Your secrets deserve a vault. Literally.

// Tools & References

📖 Vault Docs

Official Documentation

vaultproject.io/docs

🔐 HashiCorp

Company Behind Vault

hashicorp.com

☸️ Vault Kubernetes

K8s Integration

K8s docs

🔧 Vault Agent

Auto-Authentication

Agent docs

📝 Policies

Policy Language

Policies

🔄 Vault UI

Web Interface

UI tutorial

// Introduction to Vault

×

What is Vault?

Vault is a secrets management system. It stores sensitive data (API keys, passwords, certificates), controls access through policies, and provides an audit trail of all secret access.

Key Concepts

  • Secrets: Sensitive data stored in Vault
  • Secret Engine: Component that stores/generates secrets
  • Secrets: Sensitive data stored in Vault
  • Token: Authentication credential for Vault access
  • Policy: Rules defining what paths a token can access
  • Lease: Time-limited access to secrets
VAULT PHILOSOPHY: "Secrets are dynamic." Vault doesn't just store secrets—it generates them on-demand with automatic expiration and revocation.

What Vault Secures

# Types of secrets Vault manages: # - Static secrets (username/password) # - Dynamic credentials (database, AWS) # - TLS certificates # - Encryption keys # - SSH keys

Quiz

1. Vault manages _____, not code.

Hint: Sensitive data

2. Policies control _____ to paths.

Hint: What you can do

3. Time-limited secret access is a _____.

Hint: Rental period

4. Auth credential is called a _____.

Hint: Access key

5. Vault generates _____ credentials dynamically.

Hint: On-demand

Show Answers

Answers

1. Secrets

2. Access

3. Lease

4. Token

5. Dynamic

// Installation & Setup

×

Installing Vault

Vault runs as a single binary. Download it and you're ready.

Quick Start

$ curl -LO https://releases.hashicorp.com/vault/1.15.0/vault_1.15.0_linux_amd64.zip $ unzip vault_1.15.0_linux_amd64.zip $ sudo mv vault /usr/local/bin/ $ vault --version Vault v1.15.0

Dev Server

$ vault server -dev # WARNING: Dev mode is not for production! # Unseal Key: XXXXXX # Root Token: XXXXXX # Vault listening on localhost:8200

Environment Variables

$ export VAULT_ADDR='http://localhost:8200' $ export VAULT_TOKEN='your-root-token' $ vault status

Quiz

1. Dev server is not for _____.

Hint: Real use

2. Default Vault port is _____.

Hint: 8200

3. Set address with VAULT _____ env var.

Hint: Address

Show Answers

Answers

1. Production

2. 8200

3. ADDR

// KV Secrets Engine

×

What is KV?

KV (Key-Value) is Vault's basic secrets engine. Store arbitrary key-value pairs with versioning support.

Using KV

$ vault kv put secret/myapp database=localhost username=admin # Secret written $ vault kv get secret/myapp # ====== Data ====== # Key Value # database localhost # username admin $ vault kv delete secret/myapp # Secret deleted

KV Versions

$ vault kv get -version=1 secret/myapp # Get specific version $ vault kv rollback -version=1 secret/myapp # Rollback to version 1

Quiz

1. Store secret with vault kv _____.

Hint: Add

2. Read secret with vault kv _____.

Hint: Read

3. Delete secret with vault kv _____.

Hint: Remove

Show Answers

Answers

1. Put

2. Get

3. Delete

// Policies & Auth

×

What are Policies?

Policies control access to paths in Vault. They're written in HCL (HashiCorp Configuration Language).

Policy Example

# Read access to secret/myapp path "secret/myapp/*" { capabilities = ["read"] } # Full control path "secret/admin/*" { capabilities = ["create", "read", "update", "delete", "list"] }

Capabilities

  • create: Write new data
  • read: Read data
  • update: Write data
  • delete: Delete data
  • list: List keys

Auth Methods

$ vault login -method=userpass username=admin password=secret # Authenticate with username/password $ vault login token=xxxx # Authenticate with token

Quiz

1. Policies written in _____ format.

Hint: Config language

2. Policy paths control _____ to secrets.

Hint: What you can do

3. Login with vault _____-method.

Hint: Auth method

Show Answers

Answers

1. HCL

2. Access

3. Auth

// Dynamic Secrets

×

What are Dynamic Secrets?

Dynamic secrets are generated on-demand when requested. They have automatic expiration via leases and can be revoked instantly.

Database Secrets

$ vault secrets enable database # Enable database secrets engine $ vault write database/config/mydb plugin_name=postgresql-database-plugin connection_url="postgresql://localhost:5432" $ vault read database/creds/my-role # Request credentials # lease_id: database/creds/my-role/xxxx # lease_duration: 1h # username: v-token-myrole-xxxx # password: xxxx-xxxx

AWS Secrets

$ vault secrets enable aws $ vault write aws/config/root access_key=xxx secret_key=yyy $ vault read aws/creds/my-role # Access key ID and secret

Quiz

1. Dynamic secrets are generated on _____.

Hint: When needed

2. Credentials expire after _____ duration.

Hint: Time period

3. Enable secrets engine with vault _____ enable.

Hint: Secrets

Show Answers

Answers

1. Demand

2. Lease

3. Secrets

// PKI & Certificates

×

PKI Secrets Engine

Vault can act as a Certificate Authority (CA), generating TLS certificates dynamically for your services.

Setup PKI

$ vault secrets enable pki $ vault write pki/ca generate=internal ttl=87600h # Generate root CA $ vault write pki/roles/myapp allowed_domains="myapp.internal" allow_subdomains=true

Generate Certificates

$ vault write pki/issue/myapp common_name="db.myapp.internal" # Returns certificate and private key # certificate: -----BEGIN CERTIFICATE----- # issuing_ca: -----BEGIN CERTIFICATE-----

Quiz

1. Vault acts as Certificate _____.

Hint: CA

2. Enable PKI with vault _____ enable pki.

Hint: Secrets

3. Generate certs with pki/_____ command.

Hint: Get certificate

Show Answers

Answers

1. Authority

2. Secrets

3. Issue

// Transit Secrets

×

What is Transit?

Transit is Vault's encryption-as-a-service. It encrypts data so you don't need to manage encryption keys yourself.

Using Transit

$ vault secrets enable transit $ vault write transit/keys/my-key # Create encryption key $ vault write transit/encrypt/my-key plaintext=$(echo -n "secret data" | base64) # Returns encrypted ciphertext $ vault write transit/decrypt/my-key ciphertext=$CIPHERTEXT # Returns decrypted plaintext

Use Cases

  • Database encryption: Encrypt fields before storage
  • API payloads: Encrypt sensitive data in transit
  • File encryption: Encrypt files at rest

Quiz

1. Transit provides _____ as a service.

Hint: Data protection

2. Enable transit with vault _____ enable transit.

Hint: Secrets

3. Encryption/decryption with transit _____ command.

Hint: Encrypt

Show Answers

Answers

1. Encryption

2. Secrets

3. Encrypt

// Kubernetes Integration

×

Vault + Kubernetes

Vault can authenticate with Kubernetes using service account tokens. Applications can get secrets directly from Vault without storing long-lived credentials.

Kubernetes Auth

$ vault auth enable kubernetes $ vault write auth/kubernetes/config token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443"

Vault Agent

Vault Agent auto-authenticates and injects secrets into pods via annotations.

Annotations

# pod annotations for automatic secrets annotations: "vault.hashicorp.com/agent-inject": "true" "vault.hashicorp.com/role": "myapp" "vault.hashicorp.com/agent-inject-secret-db": "database/creds/myapp"

Quiz

1. Kubernetes _____ enables K8s auth.

Hint: Auth method

2. _____ injects secrets into pods.

Hint: Sidecar

3. vault.hashicorp.com/role specifies _____.

Hint: Access rights

Show Answers

Answers

1. Auth

2. Agent

3. Policy

// Auditing

×

What is Auditing?

Vault audit devices log every operation—authentication, secret access, secret creation, and more. Essential for compliance and security investigations.

Enable Audit

$ vault audit enable file file_path=/var/log/vault_audit.log # Enable file audit device $ vault audit list # List enabled audit devices

Audit Log Format

# {"time":"2024-01-01T00:00:00.000Z","type":"request","...} # {"time":"2024-01-01T00:00:00.000Z","type":"response","...}

Multiple Audit Devices

$ vault audit enable syslog # Enable syslog audit $ vault audit enable websocket address=https://audit.example.com # Enable webhook audit

Quiz

1. Audit devices _____ all Vault operations.

Hint: Record

2. Enable audit with vault _____ enable.

Hint: Audit

3. List audit devices with vault _____ list.

Hint: Audit

Show Answers

Answers

1. Log

2. Audit

3. Audit

// High Availability

×

HA Overview

Vault supports high availability with multiple server nodes. One node is the leader, others are standby. Standbys forward requests to the leader.

Storage Backends

HA requires a distributed storage backend like Consul, etcd, or DynamoDB.

Configuration

# ha_backend.hcl storage: "consul" listener: "tcp" address: "0.0.0.0:8200" cluster_addr: "http://node1:8201" $ vault server -config=ha_backend.hcl

HA Features

  • Automatic failover: Standby becomes leader if leader fails
  • Request routing: Standbys forward requests to leader
  • Seal unsealing: Only one node needs to unseal

Quiz

1. Vault HA uses a distributed _____ backend.

Hint: Where data lives

2. One node is the _____, others are standby.

Hint: Primary

3. Consul is a common _____ backend.

Hint: Storage

Show Answers

Answers

1. Storage

2. Leader

3. Storage