Open-Source Wikis

/

Vault

/

Vault

hashicorp/vault

Vault

Vault is a secrets management and data protection system written in Go. It provides a unified API to securely store, generate, encrypt, and lease access to credentials, certificates, encryption keys, and other sensitive data, with detailed audit logging and fine-grained access control.

This wiki documents the open-source (Community) edition of Vault as it lives in hashicorp/vault. Many files have _ce.go, _oss.go, or entExtend* symbols that are stubs filled in by the closed-source Vault Enterprise distribution. Where that affects behavior we call it out, but everything documented here is buildable from this repository alone.

What problem does Vault solve

Modern systems hold a wide variety of secrets: database passwords, API keys, TLS certificates, SSH keys, cloud IAM credentials. Vault centralizes those secrets behind a single HTTP API with these properties:

  • All data is encrypted at rest using a master key that is itself split with Shamir secret sharing or wrapped by an external KMS.
  • Every read, write, login, and admin action goes through pluggable authentication, policy, and audit layers.
  • Backends can mint dynamic secrets on demand (a fresh AWS IAM key, a one-off database role, a short-lived PKI certificate) and revoke them when their lease expires.
  • Operators can run a single instance, a high-availability cluster backed by integrated Raft storage, or a federated multi-cluster setup with replication.

The repository ships the server, the vault CLI, the agent and proxy daemons, several auth and secret backends, an Ember.js web UI, and Go libraries (api/ and sdk/) that other projects use to talk to Vault or build new plugins.

Where to start

If you want to… Start at
Build and run Vault locally Getting started
Understand the runtime layout Architecture
Read about the vault server, CLI, agent, or proxy Apps
Drill into the core, identity store, expiration manager, … Systems
See how secret/auth backends plug in Plugin catalog, Secret engines, Auth methods
Look up vocabulary Glossary
Contribute code or fix a bug How to contribute

Repository at a glance

Path Contents
main.go A 13-line file that calls into the command package; see main.go
command/ All vault … CLI subcommands and the long-running server, agent, and proxy daemons
vault/ The Vault core: Core, router, mount tables, expiration manager, identity store, MFA, quotas
http/ The HTTP front door: http/handler.go builds the mux that fronts every API endpoint
audit/ Audit broker and built-in file, socket, syslog audit devices
physical/ Storage backend implementations (raft, consul, postgres, s3, …)
serviceregistration/ Pluggable service discovery for Consul and Kubernetes
builtin/credential/, builtin/logical/, builtin/plugin/ Built-in auth methods, secret engines, and the plugin shim
helper/builtinplugins/ Registry that wires built-in plugins into the server
sdk/ Reusable Go SDK for plugins; published as github.com/hashicorp/vault/sdk
api/ Public Go client SDK; published as github.com/hashicorp/vault/api
ui/ Ember.js web UI shipped with the server binary
internalshared/ Shared internal helpers (config parsing, listeners) not part of the public SDK
enos/ Enos test scenarios used in CI
changelog/ Per-PR changelog snippets aggregated into CHANGELOG.md

Editions

Vault ships in two editions from the same source tree:

  • Community Edition (CE), the open-source build in this repository.
  • Vault Enterprise, a closed-source distribution that adds DR/perf replication, namespaces hierarchy, MFA enforcement, HSM/PKCS#11 seals, control groups, FIPS modes, and several premium plugins.

Files ending in _ce.go or with entExtend* and entAdd* symbols are the open-source stubs; the Enterprise build provides parallel _ent.go files with the real implementations. This separation is documented in Background.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Vault – Vault wiki | Factory