How to Set Up HashiCorp Vault for Secrets

Enterno.io Editorial Team

How to Set Up HashiCorp Vault

By Anatoly Oshmanovsky · Updated Apr 18, 2026

Key idea:

HashiCorp Vault — industry-standard secret manager. Stores: API keys, DB passwords, TLS certs, SSH keys. Features: dynamic secrets (creates credentials on-demand), leasing/revocation, audit log, K8s integration. Deploy: docker/K8s (3-node HA for prod), init, unseal (5 keys, 3 to unseal — Shamir's sharing). Production: enable auth (LDAP/OIDC/K8s), policies, audit.

Below: step-by-step, working examples, common pitfalls, FAQ.

Try it now — free →

Step-by-Step Setup

Dev mode (local test): docker run -d -p 8200:8200 -e VAULT_DEV_ROOT_TOKEN_ID=dev hashicorp/vault
Set env: export VAULT_ADDR=http://localhost:8200 VAULT_TOKEN=dev
Enable KV v2 secret engine: vault secrets enable -path=secret kv-v2
Write secret: vault kv put secret/myapp db_password=s3cr3t
Read: vault kv get secret/myapp
Production: install via Helm in K8s, init + unseal, configure storage (Consul/Raft)
Enable auth methods: AppRole (machines), Kubernetes (pods), LDAP (users)
Write policies, audit log

Working Examples

Scenario	Config
Write/read secret	`vault kv put secret/myapp api_key=sk-abc123 vault kv get -field=api_key secret/myapp`
K8s integration	`# ServiceAccount in K8s vault auth enable kubernetes vault write auth/kubernetes/config \ kubernetes_host=https://kubernetes.default.svc vault write auth/kubernetes/role/myapp \ bound_service_account_names=myapp \ bound_service_account_namespaces=default \ policies=myapp-policy`
Dynamic DB credentials	`vault secrets enable database vault write database/config/postgres \ plugin_name=postgresql-database-plugin \ connection_url='postgresql://vault@pg:5432/{{name}}' \ allowed_roles=readonly # Rotate: vault read database/creds/readonly → returns new user/pass, auto-expires`
Policy file	`# myapp-policy.hcl path "secret/data/myapp/*" { capabilities = ["read"] } path "database/creds/readonly" { capabilities = ["read"] }`
Vault Agent injector (K8s sidecar)	`# Pod annotations vault.hashicorp.com/agent-inject: 'true' vault.hashicorp.com/role: 'myapp' vault.hashicorp.com/agent-inject-secret-db: 'secret/data/myapp'`

Common Pitfalls

Dev mode — NOT for prod (in-memory, lost on restart)
Keep unseal keys separate (HSM, 5 different people). Lose all = data loss
Use root token only for bootstrap + revoke. After setup — use AppRole/K8s
Audit log mandatory for compliance. Vault without audit = blind spot
Back up Raft storage regularly. Snapshot: vault operator raft snapshot save backup.snap

HeadersCSP, HSTS, X-Frame-Options, etc.

SSL/TLSEncryption and certificate

ConfigurationServer settings and leaks

Grade A-FOverall security score

Why teams trust us

OWASP

guidelines

15+

security headers

<2s

result

A–F

security grade

How it works

Enter site URL

Security headers analyzed

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

❌

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.

❌

Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.

❌

Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.

❌

X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.

❌

Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

✓

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.

✓

Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.

✓

Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.

✓

Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.

✓

Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Learn more

How-to

Glossary

Research

Alternatives

Sentry Alternatives

Frequently Asked Questions

Vault or AWS Secrets Manager?

AWS SM: managed, tight AWS integration, $0.40/secret/month. Vault: multi-cloud, dynamic creds, advanced features (transit encryption), but self-host complexity.

License — open-source?

Vault moved to BSL (Business Source License) in 2023, like Terraform. Open-source fork — OpenBao (Linux Foundation).

How to rotate secrets?

Dynamic secrets: auto-rotate on every request. Static: TTL + VersionedKV + manual rotation via API.

App integration?

Vault Agent (sidecar renders secrets to file), Vault SDK (Python/Go/Java), Kubernetes Secret Injector.