HashiConf 2025 Don't miss the live stream of HashiConf Day 2 happening now View live stream
Well-Architected Framework

Secure your static secrets with key/value storage

A static secret is any sensitive credential, such as a password or API key, that you create and maintain over a long period of time. The secret value remains the same until you change or rotate it. Securing static secrets protects your organization from data breaches and unauthorized access to critical systems. Organizations classify these credentials as restricted because compromised secrets can cause severe damage, including data loss, security breaches, and compliance violations.

Protect your organization with secure secret storage

While you often classify secrets as restricted, you still need to use these secrets to access systems or configure applications to access other services using the secret. Because both individual users and applications require access to these secrets, securely storing them with proper authentication and authorization is critical to your organization's security posture and reputation.

HashiCorp Vault's key/value (KV) secrets engine allows you to store any type of arbitrary secret such as usernames, passwords, API keys, and even static TLS certificates that are not able to be automatically provisioned by base64 encoding the certificate.

You can protect and manage access to the secrets stored in Vault's KV secrets engine using Vault's robust access control policy framework, and incorporate advanced Sentinel policies to ensure only authorized individuals or applications access the secrets they are entitled to.

Vault is available as a self-hosted application, or you can get started with Vault quickly using the HashiCorp Cloud Platform. Sentinel integrates with both self-hosted Vault or HCP Vault Dedicated.

Store static secrets with Vault

Before you deploy Vault, take time to plan a KV storage architecture to ensure teams and applications (clients) have access based on your organization's security requirements. You can store all secrets in a single instance of the KV secrets engine, or enable multiple KV secrets at unique paths.

Once you have solidified your plan for the KV secrets engine, enable the secrets engine using your Vault administrator's preferred tools. Vault supports a command line interface (CLI), application programming interface (API), web based user interface (UI), HashiCorp Terraform, and many other configuration management tools such as Ansible.

Once you have enabled the KV secrets engine, and assigned an appropriately scoped policy to a client, any authenticated client assigned the policy can interact with the secret based on the policy. You can learn how to enable the KV secrets engine, write a policy, and assign it to a client using the UI, CLI, API, and Terraform in the Vault get started series of tutorials.

HashiCorp resources:

External resources:

Next steps

In this section of how to Secure secrets, you learned about how to store static secrets in your organization. Storing static secrets is part of the Secure systems pillar.

Edit this page on GitHub