HCP Vault Overview
HCP Vault is a hosted version of Vault, which is operated by HashiCorp to allow organizations to get up and running quickly. HCP Vault uses the same binary as self-hosted Vault, which means you will have a consistent user experience. You can use the same Vault clients to communicate with HCP Vault as you use to communicate with a self-hosted Vault.
NOTE: Currently, HCP Vault clusters can be created on either AWS or Azure running in multiple regions across North America, Asia, and Europe. We will support additional cloud providers in the future.
Why HCP Vault?
Vault running on the HashiCorp Cloud Platform (HCP) enables users to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys within one unified cloud-based platform.
The benefits of HCP Vault are:
Reduce operational overhead: Push-button deployment, fully managed upgrades, and backups mean organizations can focus on adoption and integration instead of operational overhead.
Increase security across clouds and machines: Secure your infrastructure across all your environments through a single interface and globally control and restrict access to sensitive data and systems.
Control cost: Reduce the number of systems, licenses, and manual overhead by centralizing secrets management with HCP Vault.
Day zero readiness: Modern cloud security to quickly secure applications, access, and data from day zero.
Reliability: HashiCorp has experience supporting thousands of commercial Vault clusters and HCP Vault brings that expertise directly to users.
Ease of use: HCP Vault is built around making cloud security automation simple. Get up and running instantly so that you can onboard applications and teams easily.
Feature parity
The table below compares the features available on the self-managed Vault Enterprise and HCP Vault.
Features | Self-managed | HCP Vault |
---|---|---|
All Open Source Features | ✔️ | ✔️ |
Namespaces | ✔️ | ✔️ |
Performance Replication | ✔️ | ✔️ |
Paths Filter | ✔️ | ✔️ |
Read Replica | ✔️ | ✔️ |
Disaster Recovery (DR) Replication | ✔️ | |
Control Groups | ✔️ | ✔️ |
Sentinel | ✔️ | ✔️ |
HSM Auto-unseal | ✔️ | |
Entropy Augmentation | ✔️ | |
FIPS 140-2 & Seal Wrap | ✔️ | |
KMIP Secrets Engine | ✔️ | |
Key Management Secrets Engine | ✔️ | |
Transform Secrets Engine | ✔️ | |
Automatic Minor Version Upgrade | ✔️ | |
Automatic Major Version Upgrade | ✔️ | |
Audit Logging by default | ✔️ | |
Snapshots & Restore | ✔️ |
Note: For the self-managed Vault Enterprise clusters, audit logging is a manual configuration. Similarly, if your self-managed Vault is running Vault with Integrated Storage, you can configure an automatic data snapshot. However, HCP Vault automates the audit logging process.
HCP Vault on Azure
HCP Vault on Azure includes all features found on AWS with the exception of following features which are planned:
- Snapshots retained for 30 days after cluster deletion to support cluster restore
- Oracle Database Secrets Plugin
Self-managed vs. HCP Vault cluster
Here is a quick comparison between a self-managed Vault cluster and an HCP Vault cluster.
Self-managed | HCP Vault | |
---|---|---|
Vault Edition | Vault OSS or Vault Enterprise | Vault Enterprise |
Storage backend | Choose one and self-manage | Integrated Storage |
Seal | Seal uses Shamir's Secret Sharing algorithm to generate key shares by default. | Auto-unseal is configured. A unique Key Management Service (KMS) key is created for each cluster. |
Vault version | Self-manage the upgrade process | Minor and major versions are upgraded for you automatically. See the Vault Version documentation for more detail. |
Top-level Namespace | root | admin |
Root/admin token | Vault initialization process generates a root token. To regenerate a root token, unseal keys or recovery keys are required. | Click on the Generate token button via HCP Vault Portal returns an admin token which is valid for 6 hours. |
Advanced Data Protection (ADP) features | Available with license | Currently, not available |
Enterprise Replication | DR Replication requires Enterprise Standard, and Performance Replication is part of Enterprise Premium. | Performance Replication is available with HCP Vault Plus. |
Cluster Scaling | No built in feature to scale the cluster size up or down. | Scale your cluster size dynamically via the HashiCorp Cloud Platform Portal or Terraform. |
Tier Sizing | Not applicable | For information on tier sizing and pricing, see HCP Vault Pricing. |
Sentinel and Control Groups | Available with license | Available with HCP Vault Plus. |
Validated Secrets Engines and Auth Methods
The following secrets engines and auth methods were demonstrated to function as intended with HCP Vault. HCP Vault does not place any explicit restrictions to use any secrets engines or auth methods not mentioned below. There are some limitations to use the AWS IAM and TLS certificates auth methods in HCP Vault. Refer to HCP Vault Constraints and Known Issues for more details. Additional auth methods, secrets engines, and database secrets engines are currently being validated.
Tutorial
Refer to the Getting Started with HCP Vault tutorial to get hands-on with HCP Vault and set up your managed Vault cluster.
Looking for Vault fundamentals?
Read core Vault documentation and tutorials, including self-hosted open source docs.