HashiCorp Vault is a tool for secrets management, data encryption, and identity-based access. It is designed to help organisations securely store and manage sensitive information such as tokens, passwords, certificates, encryption keys, etc.
In this article, the main feature differences and offerings in three different Vault editions are discussed.
HashiCorp Vault Offerings
Currently, Hashicorp offers Vault service in three different editions. Below is the explanation of each edition along with the supported features.
Vault OpenSource (OSS)
The open source edition is self-managed so it can be hosted anywhere in the desired platform. Vault application can be installed on various supported operating systems. The pre-compiled Vault binary can be downloaded from HashiCorp website.
HashiCorp Vault OpenSource edition supports the most common use cases such as:
- Storing secrets in KV Engines
- Configuring widely used authentication methods such as AWS, Azure, LDAP, OIDC, etc.
- Setting up Vault in highly available cluster mode
- Data encryption and decryption etc.
The open-source version of Vault is usually sufficient for organisations with a small number of Vault users and only utilises the basic functionalities of Vault. The main features of the Vault open-source editions are:
HashiCorp Vault OpenSource edition supports the most common use cases such as:
- Storing static secrets in key value engine
- Performing data encryption and decryption via transit engine
- Dynamic secrets engines such as AWS, database, SSH key engines
- Vault plugins support
- Vault clients statistics in UI dashboard
Vault Enterprise
Like Vault open-source, the Enterprise edition is also self-managed. The Vault Enterprise contains all that is included in the open-source editions, and it offers dozens of extra features that could add value to the Vault usage in the organisations. It’s important to understand and evaluate those features to decide if your organisation could benefit from them.
The most notable enterprise features include:
-
Vault Namespaces
A namespace in Vault Enterprise is like a Vault within a Vault and is used for logical separation of the Vault instances per team or division in the organisation. With namespaces, organisations can create logical partitions within Vault to separate policies, authentication methods, and secrets across different teams or departments. This feature helps in organising and securing access to sensitive data.
-
Vault Disaster Recovery (DR) and Performance Replication
Vault DR capability ensures that in the event of a disaster (such as data centre outages, hardware failures, or other catastrophic events), your Vault data remains safe and accessible, minimising downtime and data loss. For this to work, Vault is configured in multiple locations as a Primary and secondary cluster. Real-time replication is set up so that changes made in the primary cluster (such as adding or updating secrets, policies, and configurations) are replicated to the secondary clusters in real-time. This ensures that the secondary clusters are always up-to-date and can take over immediately if the primary cluster becomes unavailable.
Vault’s Performance Replication feature is designed to enhance the scalability and performance of HashiCorp Vault across geographically distributed data centres or within large, dispersed organisations. It aims to optimise the response time and load-handling capabilities of Vault by replicating secrets and configurations across multiple clusters and ensures that users and applications can access Vault services with low latency, regardless of their geographical location.
-
Sentinel Policy as Code
Vault Enterprise includes HashiCorp Sentinel, a policy-as-code framework that allows organisations to define fine-grained access control policies using a domain-specific language. This gives administrators greater control over how policies are defined and enforced. Sentinel policies can be enforced at different levels: advisory (warnings), soft mandatory (overridable), and hard mandatory (non-overridable). This flexibility allows organisations to enforce policies according to their risk management strategy and operational practices.
-
Integrated Storage Snapshots
The automated storage snapshot feature simplifies the process of taking periodic snapshots of the data stored within Vault’s Integrated Storage backend. This is crucial for disaster recovery and operational durability, ensuring that data can be restored to a known good state in case of data corruption, loss, or a disaster scenario.
-
Enterprise support
Vault Enterprise also comes with support from HashiCorp in case anything goes wrong. Depending on the support plan, HashiCorp support responds within the given time frame as agreed in the SLAs.
-
Control Groups
Vault Control Groups are an advanced security feature within HashiCorp Vault, designed to implement an additional layer of authorisation through a manual approval process for accessing secrets or performing sensitive operations.
-
Lease Count Quotas
Vault Lease Count Quotas, introduced in HashiCorp Vault, is a feature designed to improve the operational safety and resource management of Vault by limiting the number of leases that can be generated within a specified time frame or scope.
Vault HCP
Vault (HCP) Cloud, a SaaS solution, is a fully managed implementation of Vault which is operated by HashiCorp, allowing organisations to get started with Vault in no time. Vault HCP clusters are equipped with Vault Enterprise edition leveraging the additional enterprise features.
Vault HCP vault clusters are hosted only on AWS and Azure clouds with multiple supported regions across the globe. It is possible to expose Vault clusters in HCP to the public network or restrict access to a private network via VPN peering. The below image depicts the peering connection between the HCP virtual network and a private VPC network for a public cloud provider.
The benefits of using Vault HCP include:
- Easier Vault deployments with few clicks
- Managed Vault upgrades
- Ability to take Vault snapshots and restore from the HCP console
- Infrastructure reliability provided by HashiCorp
- Secure access via private network
- Pre-configured Auto-unseal
- Dynamic Vault cluster scaling
- Multiple tier sizing and pricing i.e. Development, Standard, Plus tier
Comparison Table
To make decisions easy regarding the vault edition which would best suit the needs of the organisations, the below table provides a comparison of major Vault features among three different vault editions.
Vault at Kumorion
We have been managing and supporting HashiCorp Vault (both open source and Enterprise edition) for many years. Our experience with Vault is quite extensive in terms of automated deployment of Vault in HA cluster. We have been dynamically managing the Vault configurations such as auto-unsealing, automated recovery from lost quorum and performance and DR replications (Enterprise feature) etc.
Our way of provisioning the various Vault component is via code. We use automated pipelines to configure Vault secret engines, setup authentication methods such LDAP, OIDC, JWT and approle, manage the Vault policies and vault group configurations. Vault monitoring and logs shipping to the logs aggregator is another important aspect that we have dealt within our automation.
We see Vault as key component in modern distributed environments and being able to self host and/or use a managed solution like HCP is crucial. We work in various multi-cloud, hybrid, on-prem and edge environments and Vault is suitable for all.
Writer // KUMORION BLOG //
Shankar Lal
Enthusiastic DevOps learner and sometimes like to write about his experiences for community awareness.