hashicorp/vault
Glossary
Vault has its own vocabulary. Most of these terms appear throughout the source and are necessary to read the code without confusion.
| Term | Meaning |
|---|---|
| Core | The central object in vault/core.go. Owns the router, mount tables, identity store, audit broker, expiration manager, seal, and barrier. Every running Vault instance has exactly one Core. |
| Barrier | The encryption layer between the logical request layer and the physical storage backend. Implemented by vault/barrier_aes_gcm.go. |
| Seal / unseal | Vault is "sealed" when the barrier key is unavailable, "unsealed" once enough unseal-key shares (or an auto-unseal KMS) reconstruct it. See vault/seal.go, vault/seal_autoseal.go. |
| Shamir | The secret-sharing scheme used to split the unseal key into N shares with a recovery threshold. shamir/shamir.go is the implementation. |
| Auto-unseal | Replacing Shamir shares with an external KMS that wraps/unwraps the keyring (AWS KMS, GCP CKMS, Azure Key Vault, OCI KMS, Transit). |
| Recovery key | When auto-unseal is enabled, a Shamir-split key kept around for emergency operations like generating a new root token; see vault/generate_root_recovery.go. |
| Root token | A token with all capabilities and no TTL. Generated at init time and via operator generate-root. |
| Mount | A backend bound to a path. secrets enable -path=db database creates a mount at db/. The mount table is in vault/mount.go. |
| Auth method | A logical.Backend mounted under auth/<name>/ that exchanges credentials for a Vault token. Built-ins live under builtin/credential/. |
| Secret engine | A logical.Backend that exposes paths for storing or generating secrets. Built-ins live under builtin/logical/. |
| Plugin | An external logical.Backend distributed as a separate binary; loaded over gRPC via sdk/plugin/. |
| Backend | The generic interface implemented by both auth methods and secret engines: sdk/logical/logical.go. |
| Framework backend | The helper at sdk/framework/backend.go that turns a list of *Path definitions into a full logical.Backend. |
| Path | A pattern + handler pair in a backend. Defined as *framework.Path in sdk/framework/path.go. |
| Lease | The TTL/renewal contract for a dynamic secret or token. Tracked by the expiration manager in vault/expiration.go. |
| Token | The credential clients send as X-Vault-Token. Stored and managed by vault/token_store.go. |
| Accessor | A non-sensitive identifier for a token, mount, or auth method that operators can refer to without leaking the secret. |
| Wrap token | A short-lived token that, when read once, returns a previously-stored response. See vault/wrapping.go. |
| Policy | A set of capabilities ("read", "list", "create", "update", "delete", "sudo", "deny") on path patterns; written in HCL. Stored in vault/policy.go. |
| ACL | The compiled, hierarchical version of a token's policies, used for capability checks (vault/acl.go). |
| Identity entity | A canonical user record. Aliases from auth methods map to entities. See vault/identity_store.go. |
| Identity group | A collection of entities and/or other groups, used for inherited policy assignment. |
| Namespace | A logical tenant boundary. CE has a single root namespace; Enterprise supports nested namespaces. Helpers live in helper/namespace/ and vault/namespaces.go. |
| HA / standby / active | In HA, only the active node handles writes; standby nodes forward requests via gRPC (vault/request_forwarding.go). |
| Performance / DR replication | Enterprise features that replicate writes from a primary cluster to secondaries. |
| Storage backend / physical backend | The pluggable key-value store that Vault writes encrypted blobs to. Implementations live in physical/. |
| Service registration | Optional integration that publishes Vault's address/role to a service registry; serviceregistration/. |
| Dynamic secret | A credential generated on demand (a fresh AWS user, a one-off DB role) rather than read from a stored value. |
| Static secret | A user-provided value stored in Vault (e.g., kv/). |
| Response wrapping | Returning a wrap token instead of the response body so the value is fetched exactly once by another consumer. |
| PSS / cubbyhole | Built-in per-token storage at cubbyhole/ (vault/logical_cubbyhole.go); deleted when the token is revoked. |
| MFA / login MFA | Multi-factor authentication enforced as part of login. vault/login_mfa.go (3,122 lines) is the implementation. |
| Quota | Rate or lease-count limits configured per namespace/mount. vault/quotas/quotas.go. |
| Audit device | A sink in the audit broker (audit/broker.go) that logs every request and response. Built-ins: file, socket, syslog. |
| Sentinel | Enterprise policy language layered on top of ACL. Hooks live in vault/policy_store.go but the engine is closed-source. |
| Control group | Enterprise feature requiring multi-party authorization for sensitive paths. |
| Activity log | Vault's client-counting facility used for billing and licensing. vault/activity_log.go is 117k lines on its own. |
| Vault agent / proxy | Long-running client-side daemons that auto-auth and proxy/cache requests. See command/agent.go, command/proxy.go. |
| CE / OSS | Community Edition / open-source. Files ending in _ce.go or _oss.go are CE stubs that Enterprise overrides. |
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.