[{"data":1,"prerenderedAt":387},["ShallowReactive",2],{"blog-how-to/vault-basics":3},{"id":4,"title":5,"body":6,"category":367,"date":368,"dateModified":369,"description":370,"draft":371,"extension":372,"faq":373,"featured":371,"headerVariant":374,"image":373,"keywords":373,"meta":375,"navigation":376,"ogDescription":377,"ogTitle":373,"path":378,"readTime":373,"schemaOrg":379,"schemaType":380,"seo":381,"sitemap":382,"stem":383,"tags":384,"twitterCard":385,"__hash__":386},"blog/blog/how-to/vault-basics.md","How to Use HashiCorp Vault for Secrets Management",{"type":7,"value":8,"toc":352},"minimark",[9,13,17,21,27,30,43,48,51,54,58,90,109,125,141,157,173,196,200,236,242,246,251,258,262,269,273,279,283,289,315,334],[10,11],"category-badge",{"category":12},"How-To Guide",[14,15,5],"h1",{"id":16},"how-to-use-hashicorp-vault-for-secrets-management",[18,19,20],"p",{},"Enterprise-grade secrets management for growing applications",[22,23,24],"tldr",{},[18,25,26],{},"TL;DR (30 minutes):\nInstall Vault, start the server in dev mode to learn, then store secrets with\nvault kv put\n. Access them in your app via the Vault API or SDK. For production, run Vault in HA mode with proper unsealing and access policies.",[18,28,29],{},"Prerequisites:",[31,32,33,37,40],"ul",{},[34,35,36],"li",{},"Command line access",[34,38,39],{},"Basic understanding of environment variables",[34,41,42],{},"Docker installed (optional, for easier setup)",[44,45,47],"h2",{"id":46},"why-this-matters","Why This Matters",[18,49,50],{},"As your application grows, managing secrets in environment variables becomes unwieldy. HashiCorp Vault provides centralized secrets management with encryption, access control, audit logging, and automatic rotation. It's the industry standard for organizations handling sensitive data.",[18,52,53],{},"Vault helps you avoid common problems: secrets sprawled across multiple .env files, no audit trail of who accessed what, and painful manual rotation when credentials are compromised.",[44,55,57],{"id":56},"step-by-step-guide","Step-by-Step Guide",[59,60,62,67,70,81,84],"step",{"number":61},"1",[63,64,66],"h3",{"id":65},"install-hashicorp-vault","Install HashiCorp Vault",[18,68,69],{},"Download and install Vault for your platform:",[71,72,77],"pre",{"className":73,"code":75,"language":76},[74],"language-text","# macOS with Homebrew\nbrew tap hashicorp/tap\nbrew install hashicorp/tap/vault\n\n# Ubuntu/Debian\nwget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg\necho \"deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main\" | sudo tee /etc/apt/sources.list.d/hashicorp.list\nsudo apt update && sudo apt install vault\n\n# Or use Docker\ndocker pull hashicorp/vault\n","text",[78,79,75],"code",{"__ignoreMap":80},"",[18,82,83],{},"Verify the installation:",[71,85,88],{"className":86,"code":87,"language":76},[74],"vault --version\n",[78,89,87],{"__ignoreMap":80},[59,91,93,97,100,106],{"number":92},"2",[63,94,96],{"id":95},"start-vault-in-development-mode","Start Vault in development mode",[18,98,99],{},"For learning and local development, start Vault in dev mode:",[71,101,104],{"className":102,"code":103,"language":76},[74],"# Start dev server (not for production!)\nvault server -dev\n\n# In a new terminal, set the address\nexport VAULT_ADDR='http://127.0.0.1:8200'\n\n# Dev mode prints a root token - save it\nexport VAULT_TOKEN='your-root-token-here'\n",[78,105,103],{"__ignoreMap":80},[18,107,108],{},"Dev mode automatically unseals Vault and gives you a root token. Never use dev mode in production.",[59,110,112,116,119],{"number":111},"3",[63,113,115],{"id":114},"store-your-first-secret","Store your first secret",[18,117,118],{},"Use the KV (key-value) secrets engine to store secrets:",[71,120,123],{"className":121,"code":122,"language":76},[74],"# Enable the KV secrets engine (v2 recommended)\nvault secrets enable -path=secret kv-v2\n\n# Store a secret\nvault kv put secret/myapp/database \\\n  username=\"dbuser\" \\\n  password=\"supersecret123\" \\\n  host=\"db.example.com\"\n\n# Store API keys\nvault kv put secret/myapp/api \\\n  stripe_key=\"sk_live_xxxxx\" \\\n  openai_key=\"sk-xxxxx\"\n",[78,124,122],{"__ignoreMap":80},[59,126,128,132,135],{"number":127},"4",[63,129,131],{"id":130},"read-secrets-from-vault","Read secrets from Vault",[18,133,134],{},"Retrieve secrets using the CLI or API:",[71,136,139],{"className":137,"code":138,"language":76},[74],"# Read via CLI\nvault kv get secret/myapp/database\n\n# Get specific field\nvault kv get -field=password secret/myapp/database\n\n# Read via API (curl)\ncurl -H \"X-Vault-Token: $VAULT_TOKEN\" \\\n  $VAULT_ADDR/v1/secret/data/myapp/database\n",[78,140,138],{"__ignoreMap":80},[59,142,144,148,151],{"number":143},"5",[63,145,147],{"id":146},"access-vault-in-your-application","Access Vault in your application",[18,149,150],{},"Use the Vault SDK in your application:",[71,152,155],{"className":153,"code":154,"language":76},[74],"// Node.js with node-vault\nimport vault from 'node-vault';\n\nconst client = vault({\n  apiVersion: 'v1',\n  endpoint: process.env.VAULT_ADDR,\n  token: process.env.VAULT_TOKEN\n});\n\nasync function getDbCredentials() {\n  const result = await client.read('secret/data/myapp/database');\n  return result.data.data; // { username, password, host }\n}\n\n// Use in your app\nconst dbCreds = await getDbCredentials();\nconst connection = await createConnection({\n  host: dbCreds.host,\n  user: dbCreds.username,\n  password: dbCreds.password\n});\n",[78,156,154],{"__ignoreMap":80},[59,158,160,164,167],{"number":159},"6",[63,161,163],{"id":162},"create-access-policies","Create access policies",[18,165,166],{},"Define who can access which secrets:",[71,168,171],{"className":169,"code":170,"language":76},[74],"# Create a policy file: myapp-policy.hcl\npath \"secret/data/myapp/*\" {\n  capabilities = [\"read\"]\n}\n\npath \"secret/metadata/myapp/*\" {\n  capabilities = [\"list\"]\n}\n\n# Apply the policy\nvault policy write myapp-read myapp-policy.hcl\n\n# Create a token with this policy\nvault token create -policy=myapp-read -ttl=24h\n",[78,172,170],{"__ignoreMap":80},[174,175,176,179],"warning-box",{},[18,177,178],{},"Production Considerations:",[31,180,181,184,187,190,193],{},[34,182,183],{},"Never use dev mode in production - use proper storage backend (Consul, PostgreSQL, etc.)",[34,185,186],{},"Implement proper unsealing with Shamir's secret sharing or auto-unseal",[34,188,189],{},"Use AppRole or Kubernetes auth instead of static tokens",[34,191,192],{},"Enable audit logging for compliance",[34,194,195],{},"Run Vault in HA mode with multiple nodes",[44,197,199],{"id":198},"how-to-verify-it-worked","How to Verify It Worked",[201,202,203,214,220,226],"ol",{},[34,204,205,209,210,213],{},[206,207,208],"strong",{},"List secrets:"," Run ",[78,211,212],{},"vault kv list secret/myapp"," to see stored secrets",[34,215,216,219],{},[206,217,218],{},"Check access:"," Create a limited token and verify it can only access allowed paths",[34,221,222,225],{},[206,223,224],{},"Test from app:"," Your application should successfully retrieve secrets without hardcoding them",[34,227,228,231,232,235],{},[206,229,230],{},"Verify audit logs:"," Check ",[78,233,234],{},"vault audit list"," and review access logs",[71,237,240],{"className":238,"code":239,"language":76},[74],"# Verify secrets are stored\nvault kv list secret/myapp\n\n# Test limited token\nVAULT_TOKEN=limited-token vault kv get secret/myapp/database  # Should work\nVAULT_TOKEN=limited-token vault kv get secret/other/secrets   # Should fail\n",[78,241,239],{"__ignoreMap":80},[44,243,245],{"id":244},"common-errors-troubleshooting","Common Errors & Troubleshooting",[247,248,250],"h4",{"id":249},"error-vault-is-sealed","Error: \"Vault is sealed\"",[18,252,253,254,257],{},"Vault requires unsealing after restart. Use ",[78,255,256],{},"vault operator unseal"," with your unseal keys.",[247,259,261],{"id":260},"error-permission-denied","Error: \"permission denied\"",[18,263,264,265,268],{},"Your token doesn't have access to this path. Check your policies with ",[78,266,267],{},"vault token lookup",".",[247,270,272],{"id":271},"error-connection-refused","Error: \"connection refused\"",[18,274,275,276,268],{},"Vault server isn't running or VAULT_ADDR is wrong. Verify with ",[78,277,278],{},"vault status",[247,280,282],{"id":281},"error-path-not-found","Error: \"path not found\"",[18,284,285,286,268],{},"The secrets engine might not be enabled. Check with ",[78,287,288],{},"vault secrets list",[290,291,292,299,305],"faq-section",{},[293,294,296],"faq-item",{"question":295},"When should I use Vault vs. simple environment variables?",[18,297,298],{},"Use environment variables for small projects with few secrets. Switch to Vault when you need audit logging, secret rotation, multiple environments, or team access control. If you're handling payment data or user credentials at scale, Vault is worth the setup cost.",[293,300,302],{"question":301},"Is there a managed Vault service?",[18,303,304],{},"Yes, HashiCorp offers HCP Vault as a managed service. AWS also has Secrets Manager, and Azure has Key Vault - these are simpler alternatives if you're on those platforms.",[293,306,308],{"question":307},"How do I rotate secrets in Vault?",[18,309,310,311,314],{},"Update the secret with ",[78,312,313],{},"vault kv put"," - Vault maintains version history. For databases, use Vault's dynamic secrets feature to automatically generate and rotate credentials.",[18,316,317,320,325,326,325,330],{},[206,318,319],{},"Related guides:",[321,322,324],"a",{"href":323},"/blog/how-to/aws-secrets-manager","AWS Secrets Manager Setup"," ·\n",[321,327,329],{"href":328},"/blog/how-to/rotate-api-keys","How to Rotate API Keys",[321,331,333],{"href":332},"/blog/how-to/environment-variables","Environment Variables Guide",[335,336,337,343,347],"related-articles",{},[338,339],"related-card",{"description":340,"href":341,"title":342},"Step-by-step guide to securing your Drizzle ORM setup. Safe SQL queries, input validation, and access control patterns f","/blog/how-to/drizzle-security","How to Secure Drizzle ORM",[338,344],{"description":345,"href":332,"title":346},"Complete guide to environment variables for web apps. Learn how to set up .env files, access variables in code, and conf","How to Use Environment Variables - Complete Guide",[338,348],{"description":349,"href":350,"title":351},"Step-by-step guide to securing file uploads. File type validation, size limits, storage security, malware scanning, and ","/blog/how-to/file-upload-security","How to Secure File Uploads",{"title":80,"searchDepth":353,"depth":353,"links":354},2,[355,356,365,366],{"id":46,"depth":353,"text":47},{"id":56,"depth":353,"text":57,"children":357},[358,360,361,362,363,364],{"id":65,"depth":359,"text":66},3,{"id":95,"depth":359,"text":96},{"id":114,"depth":359,"text":115},{"id":130,"depth":359,"text":131},{"id":146,"depth":359,"text":147},{"id":162,"depth":359,"text":163},{"id":198,"depth":353,"text":199},{"id":244,"depth":353,"text":245},"how-to","2026-01-28","2026-02-16","Step-by-step guide to setting up HashiCorp Vault for secrets management. Store, access, and rotate secrets securely in your applications.",false,"md",null,"yellow",{},true,"Step-by-step guide to setting up HashiCorp Vault for storing and managing secrets.","/blog/how-to/vault-basics","[object Object]","HowTo",{"title":5,"description":370},{"loc":378},"blog/how-to/vault-basics",[],"summary_large_image","DN0p0F3NvHIUyLv2-tA4TkrqRS3Rp7BlIRpVHHWlLBY",1775843927111]