Vault can store your existing secrets, or it can dynamically generate new secrets to control access to third-party resources or provide time-limited credentials for your infrastructure. All data that Vault stores is encrypted. Any dynamically-generated secrets are associated with leases, and Vault will automatically revoke these secrets after the lease period ends. Access control policies provide strict control over who can access what secrets.
Secrets you store within Vault can be updated at any time. If using Vault's encryption-as-a-service functionality, the keys used can be rolled to a new key version at any time, while retaining the ability to decrypt values encrypted with past key versions. For dynamically-generated secrets, configurable maximum lease lifetimes ensure that key rolling is easy to enforce.
Vault stores a detailed audit log of all authenticated client interaction: authentication, token creation, secret access, secret revocation, and more. Audit logs can be sent to multiple backends to ensure redundant copies. Paired with Vault's strict leasing policies, operators can easily trace the lifetime and origin of any secret.