HSM cluster · 4/4 healthy · last rotation 4h ago
HSM cluster · 4 / 4 healthy

Secrets,sealedat the edge.

Vault is the secrets and key management platform engineered with hardware-grade discipline — short-lived keys, audit by design, evidence packs in one command.

HSM-backed signingPer-request mintingSOC 2 · ISO · HIPAA
Mint your first keyRead the spec$ brew install vault-cli
vault · sealedlive
Active keys
12,847
  • ordersfresh
    ord_2k47xn8expires 3h 47m
  • billingfresh
    bil_9mq28r1expires 1h 12m
  • authrotating
    ath_x84j20pexpires 12m
  • searchfresh
    src_p47nq3sexpires 3h 09m
4h
default ttl
2.4k
signs / min
SOC2
type II
Trusted to seal secrets at
Northwind LabsHelvetia CartographicMercury OSFoundry 47SubstratePlover StudioStripe AtlasVerge EditionsObscura MapsRivet & Co.Field Notes Co.Northwind LabsHelvetia CartographicMercury OSFoundry 47SubstratePlover StudioStripe AtlasVerge EditionsObscura MapsRivet & Co.Field Notes Co.
/ five seals

Five primitives.
No drawer of bolt-ons.

/ by kind
  • API keys4,827
  • DB credentials3,194
  • Signing keys1,842
  • OAuth tokens2,984
total12,847
Active vault12,847 sealed
/ timeline
  • all
    −4h · scheduled rotation
  • billing
    −2h 14m · manual rotation
  • orders
    −47m · scheduled rotation
  • auth
    −12m · rotating now
Rotation timelinelast 4h
/ HSM cluster
4/4healthy
root · wrapping · seal
HSM dialcluster of 4
/ append-only audit2.4k / min
  • 14:22:00MINTkey=ord_2k47xn8 actor=service:orders ttl=4h
  • 14:23:01READkey=bil_9mq28r1 actor=user:adelaida.p
  • 14:24:02ROTATEservice=auth scope=all keys=4
  • 14:25:03SIGNpayload=intent.finalized actor=service:billing
  • 14:26:04MINTkey=src_p47nq3s actor=service:search ttl=4h
  • 14:27:05REVOKEkey=tmp_n38xq2k actor=user:soraya.m
  • 14:28:06READkey=ord_2k47xn8 actor=service:checkout
  • 14:29:07SIGNpayload=webhook.delivery actor=service:billing
Audit streamsigned · append-only
/ access policies228 active
  • service:orders
    billing/* · read
    12 keys
  • service:billing
    payments/* · sign
    4 keys
  • user:adelaida.p
    * · read · audit
    1 keys
  • service:search
    search/* · read
    6 keys
Access policyactor → secret
/ four jobs

What Vault
actually owns.

Four sealed surfaces. Vault is opinionated about the things that have ruined a Friday for an on-call engineer.

01API keys

Rotated by default. Read once.

Vault issues short-lived API keys per service, per environment, per request when you want — and expires them on a schedule you publish, not one you remember.

measured
4h
default rotation interval
mints / hr
02Database credentials

Per-connection, per-actor.

Vault mints database credentials at connection time and revokes them at hangup. No long-lived superusers in production environments — by design.

measured
0
long-lived prod superusers
live
03Signing keys

Hardware root, software ergonomics.

Sign Webhooks, JWTs, and release artifacts through HSM-backed keys with the developer experience of a hosted API. Provenance lands in the audit log.

measured
31 days
of signed-event audit retention
signed events
04Compliance evidence

Audit pack, generated.

Pull a SOC 2 / ISO 27001 evidence pack with one CLI command. Every secret, every actor, every grant, in the format your auditor accepts on the first pass.

measured
8 min
median time to evidence pack
evidence
/ honest comparison

What you stop guarding.

We ran the same secrets workload on Vault and on a typical KMS + IAM + cron-rotated stack. Here is what changed.

Dimension
Vault
Typical KMS + cron
Default key lifetime
4 hours
90 days
Audit log fidelity
Per request
Per session
HSM-backed signing
Native
Add-on
Per-connection DB creds
First-class
Bring-your-own
Compliance evidence pack
1 CLI command
2 weeks of digging
Cost per secret per month
$0.04
$0.40 + ops time
from security teams
"Vault was the only piece of infra we adopted in Q1 without a six-month security review. The product carried it."
Adelaida Pérez-Costa
Head of Security, Mercury OS
0h
Default API key lifetime
0
Long-lived prod superusers
0 min
Median time to evidence pack
0%
HSM cluster uptime, audited
/ pricing

Per secret.
Per month. Predictable.

You pay per active secret. Rotation, signing operations, and audit storage are included on every paid tier.

Tier
Cell
$0/ month
Vault
$0.04/ secret / month
Stronghold
Customannual
Seats
Up to 100 secrets
Unlimited secrets · 60 actors
Org-wide · private HSM
Rotation
Daily
Hourly · custom
Per-request
Audit
30 days
12 months
7 years · WORM
SLA
Community
99.95% credit-backed
99.99% with named TAM
/ asked by security teams

Sharp questions,
honest answers.

Vault ships an opinionated runtime with batteries on by default — short-lived keys, per-connection DB creds, HSM-backed signing — without the operator burden. You don't run it; you use it. Migrations from Hashicorp / KMS are a single CLI command.

Encrypted at rest in your chosen region (EU, US, SG, AU) with envelope keys held in our HSM cluster. Stronghold customers can pin envelope keys to their own HSM in their own DC — Vault never sees the master.

Both old and new keys are valid during a configurable overlap window. Your service ages out gracefully — no thundering herd, no failed retries.

From the audit log. Every read, write, mint, and rotation is signed and append-only. The CLI assembles a per-control evidence bundle that maps to SOC 2, ISO 27001 and HIPAA controls in the format your auditor expects.

Yes, on Stronghold. Vault accepts HSM-backed wrapping keys from AWS CloudHSM, Azure Dedicated HSM, GCP Cloud HSM, and on-prem Thales / Entrust devices. We never see the wrapping key — you keep the root.

/ recent seals

From the strongroom.

full log
  • 2026-04-22RotationPer-request key minting moved to GA on Vault tier.
  • 2026-04-09AuditEvidence pack now maps to ISO 27001:2022 controls automatically.
  • 2026-03-31HSMOn-prem Thales Luna 7 wrapping keys (beta) for Stronghold customers.
  • 2026-03-18PricingCell tier doubled to 100 free secrets. No card required.
$ vault mint --service orders --ttl 4h

Seal the secrets.
Stop minding the keys.