Credential Vault
What is Credential Vault?
Credential VaultA centralized, audited service that securely stores, rotates, and brokers access to secrets such as passwords, API keys, certificates, and SSH keys.
A credential vault — sometimes called a secrets manager — encrypts sensitive material at rest, enforces fine-grained access policies, and issues secrets to applications and humans on demand, often as short-lived dynamic credentials. Typical implementations include HashiCorp Vault, CyberArk, AWS Secrets Manager, Azure Key Vault, and Google Secret Manager. Vaults reduce the blast radius of credential leaks by replacing hard-coded secrets in code and configuration with API-driven retrieval, integrating with IAM for fine-grained authorization, and producing tamper-evident audit logs. They are also the foundation of Privileged Access Management programs, supporting just-in-time access, session brokering, and automatic rotation of database, cloud, and service-account credentials.
● Examples
- 01
A CI pipeline fetching a short-lived database password from HashiCorp Vault at deploy time.
- 02
A PAM platform brokering RDP sessions to a Windows server using credentials checked out from a vault.
● Frequently asked questions
What is Credential Vault?
A centralized, audited service that securely stores, rotates, and brokers access to secrets such as passwords, API keys, certificates, and SSH keys. It belongs to the Identity & Access category of cybersecurity.
What does Credential Vault mean?
A centralized, audited service that securely stores, rotates, and brokers access to secrets such as passwords, API keys, certificates, and SSH keys.
How do you defend against Credential Vault?
Defences for Credential Vault typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Credential Vault?
Common alternative names include: Secrets manager, Secret store.