Rotated by default. Read once.
Vault issues short-lived API keys per service, per environment, per request when you want — and expires them on a schedule you publish, not one you remember.
Vault is the secrets and key management platform engineered with hardware-grade discipline — short-lived keys, audit by design, evidence packs in one command.
Each panel is a real subsystem reading from the live audit stream. The motion is the data.
Four sealed surfaces. Vault is opinionated about the things that have ruined a Friday for an on-call engineer.
Vault issues short-lived API keys per service, per environment, per request when you want — and expires them on a schedule you publish, not one you remember.
Vault mints database credentials at connection time and revokes them at hangup. No long-lived superusers in production environments — by design.
Sign Webhooks, JWTs, and release artifacts through HSM-backed keys with the developer experience of a hosted API. Provenance lands in the audit log.
Pull a SOC 2 / ISO 27001 evidence pack with one CLI command. Every secret, every actor, every grant, in the format your auditor accepts on the first pass.
We ran the same secrets workload on Vault and on a typical KMS + IAM + cron-rotated stack. Here is what changed.
"Vault was the only piece of infra we adopted in Q1 without a six-month security review. The product carried it."
You pay per active secret. Rotation, signing operations, and audit storage are included on every paid tier.
Vault ships an opinionated runtime with batteries on by default — short-lived keys, per-connection DB creds, HSM-backed signing — without the operator burden. You don't run it; you use it. Migrations from Hashicorp / KMS are a single CLI command.
Encrypted at rest in your chosen region (EU, US, SG, AU) with envelope keys held in our HSM cluster. Stronghold customers can pin envelope keys to their own HSM in their own DC — Vault never sees the master.
Both old and new keys are valid during a configurable overlap window. Your service ages out gracefully — no thundering herd, no failed retries.
From the audit log. Every read, write, mint, and rotation is signed and append-only. The CLI assembles a per-control evidence bundle that maps to SOC 2, ISO 27001 and HIPAA controls in the format your auditor expects.
Yes, on Stronghold. Vault accepts HSM-backed wrapping keys from AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM, and on-prem Thales / Entrust devices. We never see the wrapping key — you keep the root.