Which Vault edition is right for you?
Compare the different HashiCorp Vault offerings for secrets management and see which offering might be the best fit for your organization based on the features and services offered.
HashiCorp Vault is an industry leader in multi-cloud secrets management for organizations looking to reduce risk, minimize costs, and increase efficiency across their team. HashiCorp built Vault to provide organizations with identity-based security to automatically authenticate and authorize access to secrets and other sensitive data.
The main DevOps problem Vault tackles is secret sprawl, in which static or plaintext secrets are scattered across multiple clouds, applications, and databases. Secret sprawl presents a huge security risk, increasing the likelihood of breach due to secrets being exposed. The world’s biggest organizations use Vault to reduce their attack surface by centrally managing secrets and enforcing identity-based authentication and access. Unlike AWS, Azure, or Google Cloud native secrets managers, Vault lets users sync secrets across multiple clouds to be managed in one location.
Managing and storing key-value (KV) secrets is the core use case that Vault started with at launch that is available across all Vault editions. Vault has since expanded to include automated credential rotation, dynamic secrets, PKI/certificate management, key management, advanced data protection for encrypting sensitive data, and much more. Certain Vault editions can only support specific features and use cases at this time.
The lineup of Vault editions has also expanded beyond our original Enterprise and Community self-managed options to include a fully managed, single-tenant cloud offering (HCP Vault Dedicated) and a SaaS offering (HCP Vault Secrets). HashiCorp also offers a new cloud-hosted solution called HCP Vault Radar, which scans an organization’s environments to identify plaintext and untracked secrets that can then be secured in Vault.
Choosing the right Vault edition can be a challenging task due to the level of complexity involved in your decision framework. It may end up looking like this:
Use cases that grow out of secrets management adoption
»Choosing the right Vault
With all those choices, you may be wondering what Vault edition is the best fit based on your specific use case, compliance requirements, and infrastructure needs. This resource page is designed to help you find the Vault edition that best works for you. It includes overviews of each Vault edition and deep dives into how they might work with your use cases and scalability objectives. Here is a preview of the different Vault editions and what type of user would be best suited for it.
HCP Vault Secrets
Teams currently using a multi-cloud environment
Teams looking for a quick-to-deploy solution to get started with secrets management
Teams focused on storing secrets across multiple cloud service providers or CI/CD flows
Teams looking to reduce operational overhead by switching to a managed service
HCP Vault Dedicated
Mature teams looking for a centralized secrets management solution in addition to more advanced use cases (PKI/certificate management)
Teams looking to reduce operational overhead by switching to a managed service
Vault Enterprise
Larger, more mature organizations and teams looking to be hands-on with an on-premises secrets manager
Teams dealing with more advanced use cases, such as FIPS-140-2 support, entropy augmentation, hardware security module (HSM) auto-unseal, and seal wrap
Vault Radar
Teams that need to locate static or plaintext secrets in their environment
»HCP Vault Secrets
HCP Vault Secrets is Vault’s fully managed, multi-tenant SaaS platform that provides teams with secure and simplified workflows for secrets management with zero friction, low skills requirements, and a strong integration ecosystem to onboard more users and applications. Teams can readily deploy HCP Vault Secrets in a matter of minutes as a true “value right out-of-the-box” solution, giving them the flexibility to focus on day-to-day operations without having to oversee implementation, maintenance, or version upgrades.
Today, HCP Vault Secrets primarily offers key-value static secrets storage for teams that need a solution ASAP to centrally store their secrets. Teams can easily manage and integrate static secrets where developers may want to access them across multiple applications and infrastructure resources. This includes syncing secrets across AWS Secrets Manager, Azure Key Vault, Google Cloud, GitHub, and Vercel sync destinations. HCP Vault Secrets is also rolling out more identity access management (IAM) features such as advanced role-based access control (RBAC), which allows for more personalized role assignments and access management.
We advise teams that are primarily focused on increasing agility, reducing risk, and reducing operational costs to sign up for an HCP account and try HCP Vault Secrets.
These are the features currently available in HCP Vault Secrets:
| Use case | Key features |
| Secrets management |
|
| Identity access management |
|
| Visibility |
»Planned features
HCP Vault Secrets will soon be releasing the following features:
Azure/Google Cloud/AWS integrated dynamic secrets
On-premises database secret rotation
HCP authorization with workload identity
Webhooks
Auto-rotation of secrets
SOC2 compliance
»Highlights
HCP Vault Secrets is the preferred choice for:
Teams currently using multiple CSP-native secrets managers
Teams looking for a quick-to-deploy solution to get started with secrets management
Teams looking to store secrets across multiple cloud service providers or CI/CD flows, such as GitHub Actions
HCP Vault Secrets is not ideal for:
PKI and key management or other advanced use cases
Single-tenancy requirements
Teams operating within high-compliance or governance needs
Does HCP Vault Secrets seem like a good fit?
Get started with HCP Vault Secrets
»HCP Vault Dedicated
HCP Vault Dedicated is also fully managed by HashiCorp with a single-tenant architecture. HCP Vault Dedicated currently lets users create HCP-managed clusters on either AWS or Azure across multiple regions in North America, Asia, and Europe. This lets users reduce operational overhead by providing fully managed Vault clusters, automatic upgrades, backups, and monitoring. Organizations get the flexibility to focus on adoption and integration instead of hands-on management.
If your organization requires advanced features to support your cloud infrastructure, HCP Vault Dedicated is the right offering for you. HCP Vault Dedicated is also the recommended solution for organizations that are migrating to the cloud from an on-premises infrastructure and require more advanced use cases beyond secrets management. These advanced use cases may include: using the PKI secrets engine to dynamically generate certificates on demand, advanced data encryption, and/or key rotation. Users can offload cluster management to HashiCorp while still leveraging Vault’s existing access patterns/advanced policy management.
HCP Vault Dedicated enables users to secure, store, and tightly control access to tokens, passwords, certificates, and encryption keys within one unified cloud-based platform. HCP Vault Dedicated clusters fit into any workload and automatically scale with clusters that can be deployed and integrated with your cloud infrastructure. Additionally, Hashicorp products hosted on the HCP platform all include disaster recovery fail-safes which can offer relief.
Unlike HCP Vault Secrets, HCP Vault Dedicated is a single-tenant offering that offers an ideal solution for teams focused on stricter security controls and access protocols. Dedicated also offers policy enforcement and identity brokering for authentication and access to different clouds.
| Use case | Key features |
| Secrets management |
|
| Identity access management |
|
| Certificate and key management | |
| Operations and visibility |
|
»Risk & compliance
HCP Vault Dedicated meets the following governance and compliance requirements:
Multi-factor authentication
Snapshot and restore
Performance standby nodes
Performance replication
SSO integration
»Highlights
HCP Vault Dedicated is the preferred choice for:
Mature teams looking for a centralized secrets management solution in addition to more advanced use cases (PKI/certificate management)
HCP Vault Dedicated is not ideal for:
Teams that want to maintain a self-managed instance (on-premise)
Organizations looking for:
HSM auto-unseal
Entropy augmentation
FIPS 140-2 and seal wrap
FedRAMP compliance
(These features are available through Vault Enterprise)
Does HCP Vault Dedicated seem like a good fit?
Get started with HCP Vault Dedicated
»Vault Enterprise
Vault Enterprise is HashiCorp’s self-managed offering geared for larger organizations with multiple teams that require special security, compliance, and other operational requirements. Vault Enterprise includes the most robust feature set and supports multiple use cases for securing access to credentials including secrets, certificates, keys, and other sensitive data such as personal identity information, financial data, and health data.
Vault Enterprise empowers users to fully take advantage of secrets management within their own environment. Similar to our cloud offerings, users can automate management workflows in order to securely inject secrets into applications and sync workflows across Kubernetes, on-premises databases, or cloud databases, and set expiration policies and automate rotation workflows for secrets. These features are not completely unique to Vault Enterprise; our managed cloud offering (HCP Vault Dedicated) also provides these capabilities as well.
Teams with more advanced use cases that intend to maintain their own infrastructure and have strict regulatory requirements or special needs around HSM, data encryption, tokenization, or transformation should use Vault Enterprise.
| Use case | Key features |
| Secrets management |
|
| Identity access management |
|
| Certificate and key management |
|
| Advanced compliance |
|
| Operations and visibility |
|
»Risk & compliance
Vault Enterprise meets the following governance and compliance requirements:
Multi-factor authentication
FIPS 140-2
ISO 27001, 27017, 27018
SOC 2
Entropy augmentation
NIST compliance
Disaster recovery replication
HSM auto-unseal
Tenant isolation
Automated snapshots
User-configured resources
Performance standby nodes
Performance replication
SSO integration
»Highlights
Vault Enterprise is the preferred choice for:
Larger, more mature organizations and teams looking to be hands-on with an on-premises secrets manager
Teams dealing with more advanced use cases, such as FIPS-140-2 support, entropy augmentation, hardware security module (HSM) auto-unseal, and seal wrap
Does Vault Enterprise seem like a good fit?
Get started with Vault Enterprise
»HCP Vault Radar
HCP Vault Radar (currently in limited availability) is a standalone product that lets users scan and detect unmanaged secrets that might be exposed in their environment to help manage risk associated with secret sprawl. HCP Vault Radar should be used in conjunction with a secrets management solution, such as HCP Vault Secrets, HCP Vault Dedicated, or Vault Enterprise.
HCP Vault Radar facilitates automated scanning and ongoing detection of unmanaged secrets in various code repositories and other data sources. This critical functionality further differentiates HashiCorp Vault’s secrets management offering by allowing organizations to take a proactive approach to remediation before a data breach occurs. HCP Vault Radar also integrates with GitHub and Bitbucket to prevent secret leakage and raise alerts to sensitive data found in pull requests.
HCP Vault Radar emphasizes prioritization to remediate unmanaged secrets effectively. To do this, HCP Vault Radar answers these questions to provide actionable results and minimize false positives:
How likely is it that the content is a secret?
Is the secret currently active and in use?
Was the secret found in the latest version of the code or document?
Is this secret already stored in Vault?
Radar also allows organizations to scan a variety of content repositories, including:
Git-based version-control systems (e.g. GitHub, Bitbucket)
AWS Parameter Store
Server file directory structures
Confluence
Slack
Amazon S3 buckets
HCP Terraform
Terraform Enterprise
Jira
Docker images
Does Vault Radar seem like a good fit?
See Vault Radar’s product documentation to learn more
»Still need help choosing?
As you just read, Vault offers various editions in order to provide the best fit for your specific use case, requirements, and organization. At its core, Vault is focused on addressing the problem of secret sprawl by providing a straightforward and automated method for centrally managing your secrets and managing access.
Our managed cloud offerings are HCP Vault Dedicated and HCP Vault Secrets, which differ based on the level of advanced features. Vault Enterprise is our on-premises edition which we recommend to organizations with strict regulatory requirements. Vault Radar is a standalone product that should be used in conjunction with any of these products to scan for secrets across your organization.
If you have any other questions or want clarification, we are here to talk and advise on the best solution that makes the most sense for your organization and your specific use case.
