Vault
Why use HCP Vault Dedicated
HashiCorp Cloud Platform (HCP) Vault Dedicated is a fully managed implementation of Vault Enterprise. HashiCorp operates the infrastructure, allowing organizations to get up and running quickly. HCP Vault provides a consistent user experience compared to a self-managed Vault cluster. You can use the same Vault clients to communicate with HCP Vault Dedicated as you use to communicate with self-managed Vault.
In this series of tutorials, you will create, access, and configure a Vault cluster managed on the HashiCorp Cloud Platform. If you are already familiar with how to provision and access a Vault cluster using the HCP Portal, visit the Manage HCP Vault Dedicated collection to dive deeper into Vault Dedicated management.
Simplify deployments
The HashiCorp Cloud Platform reduces operational overhead compared to a self-managed Vault cluster. Select a cloud provider, a cluster size, and HCP manages the deployment and Vault updates for you.
Multiple connectivity options
There are multiple connectivity options once you deploy a new HCP Vault Dedicated cluster.
Most organizations choose to configure their Vault Dedicated cluster using a private connection over a peering connection to their cloud provider. This allows workloads in AWS or Azure to access the Vault Dedicated cluster to retrieve secrets.
You can also chooses to allow a public connection. With public connections enabled, the Vault Dedicated cluster will have an associated public address where clients can directly connect to Vault. When using a public connection, you should configure IP allow list to limit access to your Vault Dedicated cluster from trusted IP addresses.
Self-managed and HCP Vault Dedicated cluster comparison
Here is a quick comparison between a self-managed Vault cluster and an Vault Dedicated cluster.
| Feature | Self-managed | HCP Vault Dedicated |
|---|---|---|
| Vault Edition | Vault Community Edition or Vault Enterprise | Vault Enterprise |
| Storage backend | Choose one and self-manage | Integrated Storage |
| Seal | Seal uses Shamir's Secret Sharing algorithm to generate key shares by default. | Auto-unseal is configured. A unique Key Management Service (KMS) key is created for each cluster. |
| Vault version | Self-manage the upgrade process | The minor versions are upgraded for you automatically. See the Vault Version documentation for more detail. |
| Top-level Namespace | root | admin |
| Root/admin token | Vault initialization process generates a root token. To regenerate a root token, unseal keys or recovery keys are required. | Click on the Generate token button via Vault Dedicated Portal returns an admin token which is valid for 6 hours. |
| Advanced Data Protection (ADP) features | Available with license | Available with Vault Dedicated Plus. |
| Enterprise Replication | DR Replication requires Enterprise Standard, and Performance Replication is part of Enterprise Premium. | Performance Replication is available with Vault Dedicated Plus. |
| Auth methods | No limitation | A subset of available auth methods have been validated on Vault Dedicated. Additional auth methods will be validated over time. Refer to Validated secrets engines and auth methods documentation for more details. |
| Secrets Engines | No restriction | A subset of available secrets engines have been validated on Vault Dedicated. Additional secrets engines will be validated over time. Refer to the Security Overview documentation for more details. |
| Cluster Scaling | No built in feature to scale the cluster size up or down. | Scale your cluster size dynamically via the HashiCorp Cloud Platform Portal or Terraform. |
| Sentinel | Available with license | Available with Vault Dedicated Plus. |
To learn more about Vault Dedicated pricing, visit the HCP Vault Dedicated Pricing and HCP Billing documentation pages.
Next steps
Create your first HCP Vault Dedicated cluster to get started. Go through each tutorial in this series for an overall tour of HCP Vault Dedicated.