Dynamic secrets
Short-lived DB / cloud / SSH credentials on demand

Secrets management and data protection
What is Vault on ManageStacks?
Vault on ManageStacks is HashiCorp Vault (or OpenBao, the Linux Foundation Apache-2.0 fork) deployed to your own AWS, Azure, or GCP region — priced flat at $29 per instance per month with cloud-KMS-based auto-unseal, dynamic secrets for databases and cloud providers, PKI + SSH certificate management, and full audit logging. Materially cheaper than AWS Secrets Manager or Doppler at scale, and secrets never leave your cloud region. Licence-safe: pick HashiCorp Vault (BSL 1.1) or OpenBao (Apache-2.0) based on your posture on the 2023 licence change.
Vault on ManageStacks is HashiCorp Vault (or OpenBao, the Linux Foundation Apache-2.0 fork) deployed to your own AWS, Azure, or GCP region — priced flat at $29 per instance per month with cloud-KMS-based auto-unseal, dynamic secrets for databases and cloud providers, PKI + SSH certificate management, and full audit logging. Materially cheaper than AWS Secrets Manager or Doppler at scale, and secrets never leave your cloud region. Licence-safe: pick HashiCorp Vault (BSL 1.1) or OpenBao (Apache-2.0) based on your posture on the 2023 licence change.
HashiCorp Vault is the de-facto tool for securely accessing secrets — API keys, database passwords, TLS certificates, encryption keys — and for dynamic secrets that are generated on demand for databases and cloud providers. It provides a unified interface with tight identity-based access control and detailed audit logging.
Vault's dynamic-secrets feature is unique: instead of storing static credentials, Vault generates short-lived credentials on demand for Postgres, MySQL, MongoDB, AWS IAM, GCP IAM, SSH, and Kubernetes — meaning your applications never handle long-lived secrets, and revocation is automatic when a lease expires. The PKI and SSH engines let Vault issue TLS certificates and SSH certificates on demand, replacing traditional CA setups.
In 2023 HashiCorp changed Vault's licence from MPL 2.0 to BSL 1.1 (Business Source Licence — source-available but restricts commercial reselling). The Linux Foundation forked the last MPL version as OpenBao. Both are wire-compatible; ManageStacks supports both, so you pick based on your licence posture.
Self-hosting Vault means running Vault with a storage backend (Raft integrated storage is now recommended), configuring auto-unseal against your cloud KMS (essential — otherwise Vault starts sealed and manual unseal keys are needed after every restart), setting up HA replicas (Vault Enterprise features like DR replication are BSL-only), and coordinating upgrades. ManageStacks handles all of that.
DIY self-hosting
On ManageStacks
Dynamic secrets
Short-lived DB / cloud / SSH credentials on demand
$29/mo
Flat per instance; HA + Raft on Business+
KMS auto-unseal
AWS / GCP / Azure KMS supported
Vault or OpenBao
Pick your licence posture
Subscribe to ManageStacks through your AWS, Azure, or GCP marketplace.
Pick HashiCorp Vault (BSL 1.1) or OpenBao (Apache-2.0).
Vault spins up with Raft storage, cloud-KMS auto-unseal, TLS, and audit logging — typically 3-5 minutes.
Set up auth methods (Kubernetes, AWS IAM, OIDC), enable secret engines (KV, Postgres, PKI), and write policies.
You need centralised secrets management with dynamic credentials for databases. Vault is the standard; ManageStacks runs it in HA with auto-unseal so you don't have to.
Long-lived DB passwords are a security anti-pattern. Vault's dynamic secrets rotate on every use with automatic revocation. Essential for regulated environments.
Post-BSL HashiCorp is off-limits for your organisation. OpenBao on ManageStacks keeps you on Apache-2.0 with the same protocol.
ManageStacks deploys Vault (or OpenBao) with cloud-KMS-based auto-unseal, Raft integrated storage, TLS, and audit logging enabled. We handle HA setup, encrypted backups, and rolling version upgrades — you configure the auth methods, secret engines, and policies for your infrastructure.
How Vault on ManageStacks compares to the hyperscaler secrets managers and the developer-focused vendor.
| Property | Vault on ManageStacksUs | AWS Secrets Manager | GCP Secret Manager | Doppler |
|---|---|---|---|---|
| Deployment | Managed on your AWS, Azure, or GCP | AWS-managed | GCP-managed | Vendor-hosted |
| Data residency | Your cloud region | AWS region | GCP region | Vendor infrastructure |
| Pricing basis | Flat per instance | Per secret + per API call | Per secret + per access | Per user + per project |
| Dynamic secrets | Yes (Postgres, MySQL, AWS, K8s, SSH) | Limited to a few engines | Limited | No |
| License | BSL 1.1 or Apache-2.0 (OpenBao) | No (proprietary) | No (proprietary) | No (proprietary) |
| Auto-unseal via cloud KMS | Yes (AWS/GCP/Azure KMS) | N/A (managed) | N/A | N/A |
Comparison focuses on architectural properties (deployment model, pricing basis, open-source status) that don't change with vendor pricing pages. Verify current pricing on each vendor's own site.
Subscribe through your AWS, Azure, or GCP marketplace. We handle provisioning, SSL, monitoring, backups, updates, and security. From $29/app/month.