Open-Source Wikis

/

Vault

/

Vault

/

Glossary

hashicorp/vault

Glossary

Vault has its own vocabulary. Most of these terms appear throughout the source and are necessary to read the code without confusion.

Term Meaning
Core The central object in vault/core.go. Owns the router, mount tables, identity store, audit broker, expiration manager, seal, and barrier. Every running Vault instance has exactly one Core.
Barrier The encryption layer between the logical request layer and the physical storage backend. Implemented by vault/barrier_aes_gcm.go.
Seal / unseal Vault is "sealed" when the barrier key is unavailable, "unsealed" once enough unseal-key shares (or an auto-unseal KMS) reconstruct it. See vault/seal.go, vault/seal_autoseal.go.
Shamir The secret-sharing scheme used to split the unseal key into N shares with a recovery threshold. shamir/shamir.go is the implementation.
Auto-unseal Replacing Shamir shares with an external KMS that wraps/unwraps the keyring (AWS KMS, GCP CKMS, Azure Key Vault, OCI KMS, Transit).
Recovery key When auto-unseal is enabled, a Shamir-split key kept around for emergency operations like generating a new root token; see vault/generate_root_recovery.go.
Root token A token with all capabilities and no TTL. Generated at init time and via operator generate-root.
Mount A backend bound to a path. secrets enable -path=db database creates a mount at db/. The mount table is in vault/mount.go.
Auth method A logical.Backend mounted under auth/<name>/ that exchanges credentials for a Vault token. Built-ins live under builtin/credential/.
Secret engine A logical.Backend that exposes paths for storing or generating secrets. Built-ins live under builtin/logical/.
Plugin An external logical.Backend distributed as a separate binary; loaded over gRPC via sdk/plugin/.
Backend The generic interface implemented by both auth methods and secret engines: sdk/logical/logical.go.
Framework backend The helper at sdk/framework/backend.go that turns a list of *Path definitions into a full logical.Backend.
Path A pattern + handler pair in a backend. Defined as *framework.Path in sdk/framework/path.go.
Lease The TTL/renewal contract for a dynamic secret or token. Tracked by the expiration manager in vault/expiration.go.
Token The credential clients send as X-Vault-Token. Stored and managed by vault/token_store.go.
Accessor A non-sensitive identifier for a token, mount, or auth method that operators can refer to without leaking the secret.
Wrap token A short-lived token that, when read once, returns a previously-stored response. See vault/wrapping.go.
Policy A set of capabilities ("read", "list", "create", "update", "delete", "sudo", "deny") on path patterns; written in HCL. Stored in vault/policy.go.
ACL The compiled, hierarchical version of a token's policies, used for capability checks (vault/acl.go).
Identity entity A canonical user record. Aliases from auth methods map to entities. See vault/identity_store.go.
Identity group A collection of entities and/or other groups, used for inherited policy assignment.
Namespace A logical tenant boundary. CE has a single root namespace; Enterprise supports nested namespaces. Helpers live in helper/namespace/ and vault/namespaces.go.
HA / standby / active In HA, only the active node handles writes; standby nodes forward requests via gRPC (vault/request_forwarding.go).
Performance / DR replication Enterprise features that replicate writes from a primary cluster to secondaries.
Storage backend / physical backend The pluggable key-value store that Vault writes encrypted blobs to. Implementations live in physical/.
Service registration Optional integration that publishes Vault's address/role to a service registry; serviceregistration/.
Dynamic secret A credential generated on demand (a fresh AWS user, a one-off DB role) rather than read from a stored value.
Static secret A user-provided value stored in Vault (e.g., kv/).
Response wrapping Returning a wrap token instead of the response body so the value is fetched exactly once by another consumer.
PSS / cubbyhole Built-in per-token storage at cubbyhole/ (vault/logical_cubbyhole.go); deleted when the token is revoked.
MFA / login MFA Multi-factor authentication enforced as part of login. vault/login_mfa.go (3,122 lines) is the implementation.
Quota Rate or lease-count limits configured per namespace/mount. vault/quotas/quotas.go.
Audit device A sink in the audit broker (audit/broker.go) that logs every request and response. Built-ins: file, socket, syslog.
Sentinel Enterprise policy language layered on top of ACL. Hooks live in vault/policy_store.go but the engine is closed-source.
Control group Enterprise feature requiring multi-party authorization for sensitive paths.
Activity log Vault's client-counting facility used for billing and licensing. vault/activity_log.go is 117k lines on its own.
Vault agent / proxy Long-running client-side daemons that auto-auth and proxy/cache requests. See command/agent.go, command/proxy.go.
CE / OSS Community Edition / open-source. Files ending in _ce.go or _oss.go are CE stubs that Enterprise overrides.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Glossary – Vault wiki | Factory