Vault is the industry standard for managing secrets: API keys, database passwords, encryption keys, anything that shouldn't live in environment variables or config files. It stores secrets, controls who can access them, rotates them automatically, encrypts data, and logs every access. It's a bank vault for your application secrets.

built by HashiCorp. The most widely deployed secrets management tool in production infrastructure.

The catch: HashiCorp relicensed Vault from MPL to BSL (Business Source License) in 2023. You can still self-host for free for your own use, but you cannot offer Vault as a managed service competing with HashiCorp. This triggered the OpenBao fork. Also, Vault is powerful but complex; setting up HA (high availability), configuring auth methods, managing policies, and operating the unsealing process requires real infrastructure knowledge. This is not a 'docker run and forget' tool.

**Free (BSL):** Full Vault server: secrets engine, dynamic secrets, encryption-as-a-service, auth methods, policies, audit logging. All features available. BSL restricts offering Vault as a competing managed service.

**HCP Vault (cloud):** - Development: free, single small cluster, limited to dev/test - Standard: starts around $0.50/hr (~$365/mo), production-grade, HA - Plus: higher throughput, more features, custom pricing

Self-hosting cost: Vault needs HA in production (3-5 servers minimum for Raft storage). Budget $100-300/mo in infrastructure. The real cost is operational; someone needs to understand Vault's unsealing, rotation, and policy model.

The BSL license is the elephant: if you're fine using Vault internally, nothing changes. If you were planning to build a secrets-management SaaS, look at OpenBao (the FOSS fork).

Vault

The Lens

Free vs Self-Hosted vs Paid

Similar Tools

About

Explore Further

More tools in the directory

openclaw

claw-code

n8n