HashiCorp Vault: English Vocabulary for Secrets Management Engineers
Master the English terminology for HashiCorp Vault — secrets engines, dynamic secrets, AppRole auth, policies, seal/unseal, and the transit engine.
Vault is the industry-standard tool for managing secrets in modern infrastructure, and conversations between security engineers are full of precise, technical English that non-native speakers often find unfamiliar. Whether you are mounting a new secrets engine, rotating credentials, or debugging a policy denial, knowing the right vocabulary helps you communicate confidently in code reviews and incident calls. This guide covers the core terms you will hear and use every day.
Key Vocabulary
Secrets engine — a plugin-style backend that Vault mounts at a path to generate, store, or process secrets of a particular type.
“We mounted a new database secrets engine at db/ to handle all PostgreSQL credentials centrally.”
Dynamic secret — a credential that Vault generates on demand and automatically revokes after a configurable time-to-live (TTL), rather than a static value stored in a config file. “The team switched to dynamic secrets so that every service gets a unique, short-lived database password instead of sharing one static credential.”
AppRole — an authentication method designed for machines and services, using a role_id and secret_id pair instead of a username and password.
“Our CI pipeline uses AppRole auth — the runner fetches a wrapped secret_id at build time and exchanges it for a Vault token.”
Policy — an HCL document that defines which paths an authenticated entity may read, write, list, or delete inside Vault.
“I denied the request because the service token was bound to a policy that only grants read on secret/data/app/*, not secret/metadata/*.”
Seal / unseal — the mechanism by which Vault encrypts its storage backend on startup; it must be unsealed with a quorum of key shares before it can serve requests. “After the planned reboot, three operators each entered their unseal key share to bring the cluster back online.”
Transit engine — a secrets engine that provides encryption-as-a-service, allowing applications to encrypt and decrypt data without ever handling a raw key themselves. “Rather than managing AES keys in the application code, we pass the payload to the transit engine and store only the ciphertext in the database.”
Lease — a metadata object Vault attaches to a dynamic secret, defining its TTL and allowing callers to renew or revoke it explicitly. “The SRE renewed the lease before it expired to avoid an unexpected database disconnection during the long-running migration.”
Token accessor — an opaque identifier for a Vault token that lets operators look up or revoke a token without knowing the token value itself. “We logged the accessor at issuance time so that security could revoke the token immediately when the contractor left the company.”
Useful Phrases
- “I’m going to mount a KV v2 engine at
secret/and migrate all the static credentials across this sprint.” - “The PKI secrets engine is already issuing short-lived TLS certificates — we set a 24-hour TTL to reduce the blast radius of a compromised cert.”
- “Let me check the audit log; the denial usually means the policy is missing a
capabilities = ["update"]line for that path.” - “We wrapped the
secret_idwith a single-use token so the delivery mechanism itself cannot be replayed if intercepted.” - “Transit is doing all the envelope encryption — the application only ever sees the ciphertext, never the data encryption key.”
Common Mistakes
Confusing “revoke” and “renew”. Non-native speakers sometimes say “renew the secret” when they mean “revoke it” because both words relate to ending a lease. To revoke (vault lease revoke) is to invalidate a secret immediately; to renew (vault lease renew) is to extend its TTL. In incident calls, using the wrong word can cause real confusion about whether a compromised credential has been cancelled.
Saying “open” or “close” instead of “unseal” and “seal”. Vault has a specialised vocabulary here: the correct verbs are seal and unseal. Saying “let’s open Vault again” sounds informal and non-technical to native speakers; “let’s unseal the cluster” is the standard phrasing in documentation and team conversation.
Using “mount” as a noun without an article. Engineers sometimes say “we created mount at db/” instead of “we created a mount at db/” or “we mounted the database engine at db/”. The word mount is a countable noun in Vault’s context, so it needs an article or determiner when used as a noun.
Understanding Vault’s language precisely is as important as understanding its architecture — clear communication during an outage or a security incident can make the difference between a fast, coordinated response and costly confusion.