Skip to content

HashiCorp Vault — Trivia & Interesting Facts

Surprising, historical, and little-known facts about HashiCorp Vault.

Vault was created because secrets management was everyone's unsolved problem

Mitchell Hashimoto and Armon Dadgar launched Vault in April 2015 after observing that every organization they worked with stored secrets in environment variables, config files, or sticky notes. There was no standard tool for secrets management. Vault was designed to be that standard — and it largely succeeded.

The "unseal" ceremony comes from nuclear launch key concepts

Vault's unsealing process — requiring multiple key holders to present their shares before the vault becomes operational — is inspired by split-key security used in nuclear weapons and bank vaults. Vault uses Shamir's Secret Sharing algorithm, a cryptographic technique from 1979 where a secret is split into parts and a minimum number of parts are needed to reconstruct it.

Vault's dynamic secrets were revolutionary

Before Vault, secrets like database credentials were static — created once and used forever. Vault introduced dynamic secrets: credentials generated on-demand with automatic expiration. A database credential might live for only 1 hour, then Vault automatically revokes it. This dramatically reduced the blast radius of credential leaks.

HashiCorp's BSL license change in 2023 was hugely controversial

In August 2023, HashiCorp changed Vault (and all other products) from the Mozilla Public License to the Business Source License (BSL), restricting competitive commercial use. This decision shocked the open-source community and directly led to the creation of OpenBao, a community fork of Vault under the Linux Foundation.

The Transit secrets engine turns Vault into an encryption-as-a-service

Vault's Transit engine performs cryptographic operations (encrypt, decrypt, sign, verify) without ever exposing the encryption keys. Applications send plaintext to Vault and receive ciphertext — they never handle keys. This "encryption as a service" pattern was novel when introduced and is now considered a best practice for application-level encryption.

Vault Agent Sidecar Injector transformed Kubernetes secrets management

The Vault Agent Injector, released for Kubernetes in 2019, uses mutating webhooks to automatically inject secrets into pods as files. Before this, applications had to include Vault client code to retrieve secrets. The injector made Vault adoption transparent to applications — they just read a file — dramatically lowering the adoption barrier.

Auto-unseal was added because manual unsealing doesn't scale

Vault's manual unsealing process, while secure, was a major operational burden. If a Vault server restarted at 3 AM, someone had to manually provide unseal keys. Auto-unseal (using a cloud KMS to automatically unseal) was added in 2018, solving the operational pain while preserving the security model — the cloud KMS replaces the human key holders.

Vault stores zero secrets by default — it generates them on demand

A common misconception is that Vault is a database of secrets. In its most powerful mode, Vault stores nothing — it generates dynamic secrets on demand. When an application needs a database password, Vault creates a temporary credential in real-time, gives it to the application, and revokes it when it expires. This inverts the traditional secrets model.

The Vault community has written over 200 plugins

Vault's plugin architecture supports community-developed secrets engines and authentication methods. Over 200 plugins exist, connecting Vault to databases, cloud providers, certificate authorities, and identity providers. This extensibility is why Vault works across virtually every technology stack.

OpenBao forked Vault within weeks of the license change

The OpenBao project was announced in September 2023, just weeks after HashiCorp's BSL license change. Backed by IBM, the Linux Foundation adopted OpenBao as a community-maintained fork of Vault's last open-source version. This was one of the fastest and most organized responses to a license change in open-source history.