Learn HashiCorp Vault by running it. Work through the lessons in order and you'll go from your first stored secret to dynamic database credentials and encryption as a service — KV secrets, policies, auth methods, dynamic secrets, transit, and app integration. Every lesson is commands you run against a local Vault.
This course teaches HashiCorp Vault by running a real server and talking to it from the command line — so you need terminal comfort. You do NOT need a cloud account or any production setup: everything runs against a local in-memory dev server. New to the command line? Do the Linux course first. (Note: this is HashiCorp Vault, the secrets server — not "Ansible Vault", which is a different tool.)
Before you start
You need the Vault CLI. Install it for your OS, then start a local dev server — an in-memory Vault that needs no configuration and is wiped when you stop it. No cloud, no production setup.
Windows
Via winget.
winget install -e Hashicorp.VaultmacOS
Via Homebrew.
brew tap hashicorp/tap
brew install hashicorp/tap/vaultLinux
Via the HashiCorp apt repo.
sudo apt install vaultStart the dev server in one terminal, then point the CLI at it in another:
# terminal 1 — leave it running
vault server -dev
# terminal 2
export VAULT_ADDR='http://127.0.0.1:8200'
vault statusYour First Vault
Start a local Vault dev server, talk to it with the CLI, and store and read your first secret — the hands-on foundation, with no cloud and no production setup to wrestle.
The KV Secrets Engine
Store static secrets properly — versioned keys, metadata, soft deletes you can undo, and the difference between KV v1 and v2 that trips everyone up.
Policies
Control who can touch which secret. Write HCL policies that grant capabilities on paths, attach them to tokens, and test that least-privilege access actually works.
Authentication Methods
Stop using the root token. Enable real auth methods — userpass for humans, AppRole for machines — so every identity logs in and receives a scoped, expiring token.
Dynamic Secrets
Stop sharing one static database password. Have Vault generate a unique, time-limited credential per client on demand, then revoke it automatically when the lease ends.
Transit: Encryption as a Service
Encrypt application data without your app ever holding a key. The transit engine encrypts and decrypts on demand, and rotates keys without re-encrypting your data.
Using Vault from Apps & CI
Get secrets out of Vault and into your application and pipelines — environment injection, the AppRole login flow in CI, Vault Agent, and the production seal you must understand.