Perimattic
Vault logo
DevToolsFrom $29/app/month

Managed Vault Hosting

Secrets management and data protection

What is Vault on ManageStacks?

Vault on ManageStacks is HashiCorp Vault (or OpenBao, the Linux Foundation Apache-2.0 fork) deployed to your own AWS, Azure, or GCP region — priced flat at $29 per instance per month with cloud-KMS-based auto-unseal, dynamic secrets for databases and cloud providers, PKI + SSH certificate management, and full audit logging. Materially cheaper than AWS Secrets Manager or Doppler at scale, and secrets never leave your cloud region. Licence-safe: pick HashiCorp Vault (BSL 1.1) or OpenBao (Apache-2.0) based on your posture on the 2023 licence change.

Vault on ManageStacks is HashiCorp Vault (or OpenBao, the Linux Foundation Apache-2.0 fork) deployed to your own AWS, Azure, or GCP region — priced flat at $29 per instance per month with cloud-KMS-based auto-unseal, dynamic secrets for databases and cloud providers, PKI + SSH certificate management, and full audit logging. Materially cheaper than AWS Secrets Manager or Doppler at scale, and secrets never leave your cloud region. Licence-safe: pick HashiCorp Vault (BSL 1.1) or OpenBao (Apache-2.0) based on your posture on the 2023 licence change.

About Vault

What Vault does, and why teams deploy it.

HashiCorp Vault is the de-facto tool for securely accessing secrets — API keys, database passwords, TLS certificates, encryption keys — and for dynamic secrets that are generated on demand for databases and cloud providers. It provides a unified interface with tight identity-based access control and detailed audit logging.

Vault's dynamic-secrets feature is unique: instead of storing static credentials, Vault generates short-lived credentials on demand for Postgres, MySQL, MongoDB, AWS IAM, GCP IAM, SSH, and Kubernetes — meaning your applications never handle long-lived secrets, and revocation is automatic when a lease expires. The PKI and SSH engines let Vault issue TLS certificates and SSH certificates on demand, replacing traditional CA setups.

In 2023 HashiCorp changed Vault's licence from MPL 2.0 to BSL 1.1 (Business Source Licence — source-available but restricts commercial reselling). The Linux Foundation forked the last MPL version as OpenBao. Both are wire-compatible; ManageStacks supports both, so you pick based on your licence posture.

Self-hosting Vault means running Vault with a storage backend (Raft integrated storage is now recommended), configuring auto-unseal against your cloud KMS (essential — otherwise Vault starts sealed and manual unseal keys are needed after every restart), setting up HA replicas (Vault Enterprise features like DR replication are BSL-only), and coordinating upgrades. ManageStacks handles all of that.

DIY vs ManageStacks

What running Vault yourself looks like — and what it looks like with us.

DIY self-hosting

  • Install Vault, choose storage backend (Raft vs external), configure it
  • Set up cloud-KMS auto-unseal by hand — critical for production
  • Configure HA replicas + Raft cluster; test failover
  • Set up audit logging pipeline; wire in your monitoring
  • Track the BSL vs OpenBao licence question yourself

On ManageStacks

  • Subscribe through your AWS, Azure, or GCP marketplace
  • Vault (or OpenBao) comes up with Raft storage + KMS auto-unseal configured
  • HA-mode with 3+ nodes available on Business+
  • Audit logs stream to your monitoring stack automatically
  • Rolling version upgrades handled by us

Vault on ManageStacks — key numbers

Dynamic secrets

Short-lived DB / cloud / SSH credentials on demand

$29/mo

Flat per instance; HA + Raft on Business+

KMS auto-unseal

AWS / GCP / Azure KMS supported

Vault or OpenBao

Pick your licence posture

Key features

Everything Vault ships with, running on our stack.

  • Centralised secrets management with identity-based access policies
  • Dynamic secrets for Postgres, MySQL, MongoDB, AWS IAM, GCP IAM, K8s
  • Encryption as a service — encrypt/decrypt via API without storing keys client-side
  • PKI engine — issue TLS certificates from an internal CA on demand
  • SSH engine — issue SSH certificates for cert-based host auth
  • Cloud-KMS auto-unseal (AWS KMS, GCP KMS, Azure Key Vault)
  • Detailed audit logging to file or syslog for compliance
  • Vault Agent for automatic secret retrieval + template rendering
  • OpenBao (Apache-2.0) drop-in option — no BSL licence concerns
  • REST API + CLI + agent, and integrations for K8s, Terraform, Ansible
How it deploys

From subscribe to live in minutes.

1

Subscribe

Subscribe to ManageStacks through your AWS, Azure, or GCP marketplace.

2

Choose engine

Pick HashiCorp Vault (BSL 1.1) or OpenBao (Apache-2.0).

3

Provision

Vault spins up with Raft storage, cloud-KMS auto-unseal, TLS, and audit logging — typically 3-5 minutes.

4

Configure auth + engines

Set up auth methods (Kubernetes, AWS IAM, OIDC), enable secret engines (KV, Postgres, PKI), and write policies.

Who this is for

Built for teams that want Vault to just work.

Platform / DevOps teams

You need centralised secrets management with dynamic credentials for databases. Vault is the standard; ManageStacks runs it in HA with auto-unseal so you don't have to.

Teams doing zero-trust / short-lived credentials

Long-lived DB passwords are a security anti-pattern. Vault's dynamic secrets rotate on every use with automatic revocation. Essential for regulated environments.

OpenBao / OSI-only shops

Post-BSL HashiCorp is off-limits for your organisation. OpenBao on ManageStacks keeps you on Apache-2.0 with the same protocol.

Compliance & compatibility

What we handle, what Vault runs on.

Compliance & operations

  • TLS-encrypted API + inter-node communication
  • Cloud-KMS-based master key encryption + auto-unseal
  • Detailed audit logs to file or syslog for compliance retention
  • GDPR data-residency — deployment stays in your chosen cloud region
  • OS-level and Vault security patches applied during your maintenance window
  • OpenBao option keeps you on a fully OSI-approved licence

Compatibility

Version
Latest HashiCorp Vault (BSL 1.1) or OpenBao (Apache-2.0) LTS
Runtime
Vault or OpenBao Go binary on containerised infrastructure
Dependencies
Raft integrated storage, cloud KMS for auto-unseal
Min. resources
1 vCPU / 2 GB RAM (dedicated); more for HA setups
How ManageStacks helps

We handle the parts you shouldn't be writing yourself.

ManageStacks deploys Vault (or OpenBao) with cloud-KMS-based auto-unseal, Raft integrated storage, TLS, and audit logging enabled. We handle HA setup, encrypted backups, and rolling version upgrades — you configure the auth methods, secret engines, and policies for your infrastructure.

How it compares

Vault on ManageStacks vs the alternatives.

How Vault on ManageStacks compares to the hyperscaler secrets managers and the developer-focused vendor.

Comparison of Vault on ManageStacks against publicly-documented alternatives across deployment model, data residency, pricing basis, custom domain support, open-source status, and data export.
PropertyVault on ManageStacksUsAWS Secrets ManagerGCP Secret ManagerDoppler
DeploymentManaged on your AWS, Azure, or GCPAWS-managedGCP-managedVendor-hosted
Data residencyYour cloud regionAWS regionGCP regionVendor infrastructure
Pricing basisFlat per instancePer secret + per API callPer secret + per accessPer user + per project
Dynamic secretsYes (Postgres, MySQL, AWS, K8s, SSH)Limited to a few enginesLimitedNo
LicenseBSL 1.1 or Apache-2.0 (OpenBao)No (proprietary)No (proprietary)No (proprietary)
Auto-unseal via cloud KMSYes (AWS/GCP/Azure KMS)N/A (managed)N/AN/A

Comparison focuses on architectural properties (deployment model, pricing basis, open-source status) that don't change with vendor pricing pages. Verify current pricing on each vendor's own site.

FAQ

Common questions about Vault on ManageStacks.

HashiCorp Vault or OpenBao — which should I pick?
OpenBao is the Linux Foundation Apache-2.0 fork of Vault from before the 2023 BSL licence change. Both currently share the same core codebase and API. Pick OpenBao if licence purity matters (OSI-approved, no commercial-reselling restrictions) or if you're wary of HashiCorp's IBM acquisition. Pick HashiCorp Vault if you want the vendor's roadmap and specifically need Vault Enterprise features (DR replication, HSM support) via a HashiCorp licence.
How does this compare to AWS Secrets Manager, GCP Secret Manager, or Doppler?
AWS/GCP Secret Manager are per-secret + per-API-call priced. Doppler is per-user + per-project. All grow linearly with scale. ManageStacks Vault is flat $29 per instance regardless of secret count or call volume. For teams beyond ~20 users or applications with high secret-fetch volume, self-hosted Vault on ManageStacks is materially cheaper. AWS/GCP Secret Manager win on tight IAM integration; Doppler on the developer-experience polish; Vault on dynamic secrets and PKI features that no vendor tool matches.
How does auto-unseal work?
Vault stores its master key encrypted by your cloud KMS (AWS KMS, GCP KMS, Azure Key Vault). On restart, Vault fetches the KMS-encrypted key, decrypts via KMS, and auto-unseals — no manual unseal keys needed. This is essential for production; without auto-unseal, every restart requires manual key entry.
What are dynamic secrets and why do they matter?
Instead of storing a long-lived Postgres password, Vault generates a new Postgres user with a random password on every request, with a TTL (say 1 hour). Your app fetches the credential, uses it, and Vault auto-revokes when the lease expires. No long-lived secrets in circulation, and revocation is automatic. Available for Postgres, MySQL, MongoDB, AWS IAM (STS), GCP IAM, K8s ServiceAccount tokens, SSH, and more.
How is HA configured?
Vault runs with Raft integrated storage (recommended) or with an external backend (Postgres, Consul). Standard plan is a single Vault; Business+ deploys 3+ Vault nodes with Raft consensus for automatic failover. DR replication (secondary DC) is a Vault Enterprise feature — only available if you bring your own HashiCorp licence.
Does ManageStacks handle Vault version upgrades?
Yes. Rolling upgrades on Raft HA setups keep Vault available throughout. We track upstream releases and validate against a staging clone of your data before rolling forward.
Can I integrate Vault with Kubernetes?
Yes. Vault Agent Injector (via a K8s mutating webhook) auto-injects secrets into pods without your app needing Vault-specific code. K8s auth method lets pods authenticate to Vault using their ServiceAccount token. Fully documented pattern.
What happens to my secrets if I want to move off?
Vault provides `vault operator raft snapshot save` for full backup. Restore into any Vault or OpenBao deployment. Secrets, policies, auth methods, and audit devices all persist. Migration off is a supported operation.

Deploy Vault in under 5 minutes.

Subscribe through your AWS, Azure, or GCP marketplace. We handle provisioning, SSL, monitoring, backups, updates, and security. From $29/app/month.