HashiCorp Vault Secrets Management Cheat Sheet

Updated 2026-05-22

Next Topic: Immutable Infrastructure Cheat Sheet

HashiCorp Vault is a secrets management and data protection platform that secures, stores, and tightly controls access to tokens, passwords, certificates, encryption keys, and other sensitive data. It solves the critical problem of secret sprawl — eliminating hard-coded credentials by providing dynamic, short-lived secrets and encryption-as-a-service across any infrastructure. The key mental model is that Vault is path-based: every secret, auth method, and system endpoint lives at a path, and all access is governed by ACL policies applied to those paths.

What This Cheat Sheet Covers

This topic spans 16 focused tables and 128 indexed concepts. Below is a complete table-by-table outline of this topic, spanning foundational concepts through advanced details.

Table 1: Core Architecture and InitializationTable 2: Storage BackendsTable 3: Secrets EnginesTable 4: Authentication MethodsTable 5: Policies and ACL RulesTable 6: Identity — Entities, Groups, and AliasesTable 7: Secret Leasing and RevocationTable 8: Transit Engine — Encryption as a ServiceTable 9: PKI Secrets EngineTable 10: Vault Agent and TemplatingTable 11: Kubernetes Integration PatternsTable 12: Enterprise Features — Namespaces and ReplicationTable 13: Audit DevicesTable 14: Production Hardening and Operational PitfallsTable 15: Vault Upgrade and Migration PatternsTable 16: Alternatives Comparison

Table 1: Core Architecture and Initialization

Vault's architecture centers on a cryptographic barrier that protects all data at rest. Understanding how Vault starts sealed, how initialization creates the root key shares, and how the barrier is unlocked is essential before working with any other Vault feature.

Concept	Example	Description
Vault initialization	`vault operator init -key-shares=5 -key-threshold=3`	• First-ever operation on a new cluster • generates the root key and splits it into `key-shares` using Shamir's Secret Sharing, requiring `key-threshold` to reconstruct
Shamir unseal	`vault operator unseal <key-share>`	• Default unseal method • operators supply unseal key shares one at a time until the threshold is met and the root key is reconstructed in memory
Auto unseal	`seal "awskms" {` `region = "us-east-1"` `kms_key_id = "key-id"` `}`	• Delegates unseal key protection to a cloud KMS (AWS KMS, Azure Key Vault, GCP CKMS) or HSM, enabling automated restart without operator intervention • produces recovery keys instead of unseal keys
Seal status	`vault status`	• Shows whether Vault is sealed/unsealed, HA mode, storage backend, and cluster leader • the first diagnostic command to run
vault operator rekey	`vault operator rekey -init -key-shares=3 -key-threshold=2`	• Rotates the unseal keys or recovery keys without changing the underlying encryption key • useful when key-holders change

Table 1: Core Architecture and Initialization

Concept	Example	Description
Vault initialization	`vault operator init -key-shares=5 -key-threshold=3`	• First-ever operation on a new cluster • generates the root key and splits it into `key-shares` using Shamir's Secret Sharing, requiring `key-threshold` to reconstruct
Shamir unseal	`vault operator unseal <key-share>`	• Default unseal method • operators supply unseal key shares one at a time until the threshold is met and the root key is reconstructed in memory
Auto unseal	`seal "awskms" {` `region = "us-east-1"` `kms_key_id = "key-id"` `}`	• Delegates unseal key protection to a cloud KMS (AWS KMS, Azure Key Vault, GCP CKMS) or HSM, enabling automated restart without operator intervention • produces recovery keys instead of unseal keys
Seal status	`vault status`	• Shows whether Vault is sealed/unsealed, HA mode, storage backend, and cluster leader • the first diagnostic command to run
vault operator rekey	`vault operator rekey -init -key-shares=3 -key-threshold=2`	• Rotates the unseal keys or recovery keys without changing the underlying encryption key • useful when key-holders change