HashiCorp Vault Open Source delivers robust self-hosted secrets with UI

This review examines HashiCorp Vault's open-source, self-hosted offering, evaluating its UI, access controls, and audit capabilities against common pain points in secrets management.

TL;DR

Best for: Teams needing a robust, self-hosted, open-source secrets manager with a functional UI for basic operations and granular access control via policies. Skip if: Your primary need is out-of-the-box approval workflows or advanced project grouping features without custom configuration, which are often enterprise-tier. Bottom line: HashiCorp Vault's open-source version provides a solid foundation for secure secrets management, addressing the core needs of UI-based secret creation, custom roles, and audit logging.

METHODOLOGY

This v0 review draws on HashiCorp's published documentation for the open-source version of Vault, specifically focusing on capabilities available in its self-hosted deployment. Independent benchmarks and hands-on testing of performance or long-term workflow integration are pending. We will re-test and update this review if claims in the official documentation diverge from observed behavior in a future v1 evaluation.

• Tool name + version + date observed: HashiCorp Vault (latest stable open-source version, as of May 2026)
• Source signal URL: https://www.reddit.com/r/selfhosted/comments/1tp45nb/any_open_source_selfhosted_secrets_manager_with/ (accessed 2026-05-27)
• What's covered in this review: This review covers the open-source features of HashiCorp Vault as described in its official documentation, including its UI for secret management, policy system for access control, and audit logging capabilities. It addresses the specific pain points raised by the user cranberrie_sauce regarding UI limitations, custom roles, audit features, and basic secret creation.
• What's NOT covered: This review does not include independent performance benchmarks, long-term workflow integration analysis, or an exhaustive evaluation of every edge case. Enterprise-specific features, such as advanced approval workflows or multi-datacenter replication, are also outside the scope of this open-source focused review.

WHAT IT DOES

HashiCorp Vault is a secrets management tool designed to secure, store, and tightly control access to tokens, passwords, certificates, encryption keys, and other sensitive data. The open-source version is self-hostable and provides a comprehensive set of features for managing secrets.

UI for secret creation

The open-source Vault UI provides a clear interface for creating, reading, updating, and deleting secrets within various secret engines. For instance, users can navigate to a KV (Key-Value) secrets engine, define a path, and then input key-value pairs directly through the web interface. This directly addresses the cranberrie_sauce's complaint about OpenBao lacking UI-based secret creation.

Granular access control

Vault's policy system allows for highly granular control over who can access what secrets and what actions they can perform. Policies are written in HCL or JSON and define paths and capabilities (read, write, list, deny, etc.). These policies can be attached to users or groups, effectively enabling the creation of custom roles without requiring a paid subscription. This directly counters the Infisical limitation of gated custom roles.

Comprehensive audit logging

Vault includes robust audit logging capabilities in its open-source version. Audit devices record all requests and responses to Vault, providing a tamper-resistant log of who accessed what, when, and from where. These logs are crucial for compliance and security monitoring. This feature is available out-of-the-box, unlike the gated audit/insights features noted for Infisical.

API for programmatic access

Beyond the UI, Vault offers a comprehensive HTTP API, allowing for programmatic interaction with all its features. This enables seamless integration with applications, CI/CD pipelines, and automation scripts to retrieve, create, or update secrets. This fulfills the requirement for basic secret management via API.

WHAT'S INTERESTING / WHAT'S NOT

What's interesting about HashiCorp Vault's open-source offering is its commitment to providing a solid, functional core for secrets management without significant feature gating for basic needs. The UI is intuitive enough for common operations like creating and managing KV secrets, and the policy system is powerful. The ability to define custom roles through HCL policies is a significant advantage over tools that gate this fundamental security feature behind a paywall. The audit logging is also a critical, non-gated component, essential for any serious self-hosted secrets solution.

What's not interesting, or rather, what requires careful consideration, is that while Vault's open-source version is highly capable, some advanced features that cranberrie_sauce mentioned, such as explicit approval policies or sophisticated project grouping (beyond what can be achieved with careful path and policy design), are indeed part of Vault's enterprise offering. This is a common pattern for mature open-source projects with commercial backing. However, for

Pull quote: “HashiCorp Vault's open-source version provides a solid foundation for secure secrets management, addressing the core needs of UI-based secret creation, custom roles, and audit logging.”