Application Server Security

Encrypt Communication Using SSL/HTTPS

It is highly recommended that all communication between web browsers and your Vault server be encrypted and secured, using the SSL/HTTPS protocol. Installing a third-party domain, or self-signed SSL/HTTPS certificate on your website is also recommended for maximum security.

Restrict Access to Vault File System

Access to your Vault directory should be limited to a minimum number of users. The file system contains the Vault encryption key and database connection information, which is vital in disaster recovery situations.

Restrict Access to the Application Server

Users with login rights to the application server may be able to read plain text passwords and other sensitive information by accessing memory. Access to the application server should be limited to a minimum number of users.

Application Pool Identity

The Vault application pool account does not need full rights to the entire system, only the Vault files and services. As such, a more limited account can be used than "LocalSystem" or "NetworkService."

Encrypt Your Vault Encryption Key

Vault uses ASP.NET encryption to secure keys and other sensitive data. Your Vault encryption key and configuration files are encrypted upon installation and should be decrypted for troubleshooting purposes only.


You should create a backup of the plain text encryption key that was entered during installation of Vault. In a disaster recovery scenario, Vault may not be accessible without a backup of the key. It is not recommended that the backup be stored digitally. Instead, a physical copy should be created and stored in a secure location such as a safe.

Review Activity and Permissions Logs

Check Vault's activity and permissions reports for login and permission failures and other unusual events, and periodically review who has access to the system, who has access to credentials, and what those with access are permitted to do within the system.