Vault: A secure way to keep your App’s secrets

Reading Time: 3 minutes

In this blog, we will discuss the Vault. In modern scenarios, we want to secure our system as much as possible. We don’t want to store our secret keys and certificates in the system or configurations. We need a place where we can keep our secrets with more security and access them securely whenever we need them. We can use the Vault.

Vault is the secure place to store the secrets, password, token, APIKeys of the system with the control of their access. It provides security by encrypting the keys.

Key Feature of Vault

  1. Secure Storage
  2. Encryption
  3. Access Control Policies
  4. Dynamic Secrets
  5. Auditing
  6. Multiple Authentication
  7. Revocation

Secure Storage:

We can store data as a Key-Value pair. These values are stored in encrypted form in persistent storage. So,  gaining access to raw storage isn’t enough to access your secrets.


Vault has the ability to encrypt and decrypt data. It provides facilities to encrypt and store the encrypted data in any location without having to design their own encryption methods.

Access Control Policies:

We can manage the access for the secrets or any other features of the vault. This is the most crucial feature for any secret storage system.

Dynamic Secrets:

Vault can generate secrets whenever we want for any systems. For example, when an application needs to access an S3 bucket, it asks Vault for credentials, and the Vault will generate an AWS keypair with valid permissions on demand.


We can audit all the request to the vault and we can keep the redundant logs files. This includes any request to Vault: successes, failures, configuration, data access, etc. Audit logs can be sent to the syslog, files, and more.

Multiple Authentication:

We can talk with the vault via multiple methods of authentication. e.g. Vault possesses the ability to support tokens, username/password, GitHub, certificates, and more.


Vault can revoke all secrets read by a specific user or all secrets of a specific type. Revocation assists in key rolling as well as locking down systems in the case of an intrusion.

How to install Vault on the local machine?

You all can download vault from the link given below:

After downloading, extract the vault zip and set the vault path in your .bashrc file.

Now you can validate the installation with just running vault command in your terminal.

Now start the vault server on your local machine with the command: vault server -dev

As we can see the selected exported into the image, that is representing the host and port where the vault server is running. We can access the page with the help of the above address and root token. Find the reference in  below image:

Now we will keep our secret into the vault. We can do this with this command:

In the above command, we are storing data into the vault on the path of secret/credential. Here secret/ is compulsory. We can see the data on the given path. Ex:

We can simply get the data from the vault as:

This is the basic introduction of the Vault. In the next blog, we will look at how we interact with vault via a Java client.



Written by 

Anurag is the Sr. Software Consultant @ Knoldus Software LLP. In his 3 years of experience, he has become the developer with proven experience in architecting and developing web applications.