Vault
App in the BluixApps catalog
What it is
HashiCorp Vault is the industry-standard secrets management platform — store + audit + rotate API keys, database credentials, certificates, encryption keys. Dynamic secrets, encryption-as-a-service, fine-grained access policies via HCL.
Used in production at virtually every Fortune 500. Open core (BSL 1.1 since 2023).
What it's for
- Centralized secrets — single source for all app credentials
- Dynamic secrets — auto-generate + rotate DB credentials per session
- PKI / certificate authority — issue + revoke TLS certs
- Encryption as a service — encrypt/decrypt API for apps
- Access policies — fine-grained ACL via HCL
Who it's for
- Enterprise IT managing secrets across hundreds of apps
- DevOps teams automating secret rotation
- Security teams auditing credential access
- Multi-team orgs needing tenant-isolated secret stores
- Compliance-bound orgs with SOC 2 / PCI requirements
Why teams pick Vault over alternatives
- BSL 1.1 (open core) — production self-host allowed
- Industry standard — most documentation, tooling, integrations
- Dynamic secrets — unique short-lived credentials per consumer
- Multi-engine — KV, database, PKI, transit, AWS, Azure, GCP
- Audit logging — every access logged + immutable
- HA via Raft — built-in clustering
Integrations
- Secret engines — KV v1/v2, database, PKI, transit, AWS, Azure, GCP, SSH, transit
- Auth methods — Token, AppRole, JWT/OIDC, LDAP, GitHub, AWS, Kubernetes
- Storage backends — File, Raft (HA), Consul, S3, Azure Blob
- Audit devices — File, syslog, socket
- Client libraries — Go, Python, Ruby, Java, .NET, JS, Rust
- Kubernetes integration — Vault Agent Injector, Secrets Operator
- Terraform provider — manage Vault config via IaC
Notable users & community
- 32k+ GitHub stars
- Used at every major bank, tech company, government agency
- Backed by HashiCorp (IBM since 2024)
- HashiConf annual conference
- Industry-standard in DevSecOps
Tips & operations
- Initial unseal — Vault starts sealed; needs 3-of-5 unseal keys after init
- Root token — generated on init; KEEP SECRET, used only for setup
- Auto-unseal for production — auto-unseal with cloud KMS / Transit
- Backup snapshots — Raft snapshots for disaster recovery
- Policy testing —
vault policy fmt+ dry-run before production - License awareness — BSL 1.1 restricts competitive hosting; fine for internal use
What we ship in BluixApps
- Docker image:
hashicorp/vault:latest - File storage backend (single-node, dev/test pattern)
- IPC_LOCK capability for memory safety
- Persistent volumes:
/opt/vault/file+/opt/vault/config+/opt/vault/logs - Port 8200 exposed (HTTP, no TLS by default — wire LE at reverse proxy)
- TLS hardening + Raft storage documented for production
- Backup hook covers Raft snapshots
Get this app — pick a BluixApps plan
Same catalog. Scaling tenant isolation, white-label and support tier.
| Tier | Tenants | Catalog | Support | White-label | Monthly | |
|---|---|---|---|---|---|---|
| Stacks | 1 | 19 curated stacks | Standard | — | $19/mo | DetailDeploy |
| Starter | 10 | Full catalog | Standard | +$15–25/mo | $49/mo | DetailDeploy |
| Pro | 25 | Full catalog | Priority bugfix | +$15–25/mo | $149/mo | DetailDeploy |
| Growth | 100 | Full catalog | Priority bugfix | +$15–25/mo | $349/mo | DetailDeploy |
| Scale | 500 | Full catalog | 7-day window | +$15–25/mo | $799/mo | DetailDeploy |
| Enterprise | Unlimited | Full catalog | Priority 7-day | Bundled | $1,499/mo | DetailDeploy |