--- title: Pulumi ESC vs HashiCorp Vault url: /docs/esc/vs/vault/ --- Choosing the right [secrets management](/what-is/what-is-secrets-management/) tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with HashiCorp Vault, and how ESC and Vault can be used together. ## What is HashiCorp Vault? HashiCorp Vault is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies. ## Pulumi ESC vs. Vault: Similarities {#similarities} Like Vault, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Vault, secrets can be stored and accessed through a CLI, SDK, or editor interface. Granular access controls can be implemented across all secrets. ## Pulumi ESC vs. Vault: Key Differences {#differences} There are a couple of fundamental differences between Vault and Pulumi ESC. First, ESC and Vault differ in that Vault is not open source, using the Business Source License model. In contrast, ESC is fully open source and Apache 2.0 licensed. Second, Vault only stores secrets, whereas ESC stores environments, secrets, and configurations. Third, ESC provides composability of collections of secrets and configuration. Environments can be composed together from multiple other environments, enabling easy inheritance of shared configuration. ## Pulumi ESC and Vault: Better Together While there are differences and similarities between Pulumi ESC and Vault, they can actually be used together for a more powerful experience to store and manage infrastructure and application secrets. ESC environments can reference secrets stored in Vault. Through ESC, secrets in Vault can be organized as collections of secrets that can be versioned, branched, and composed inside other collections. With ESC, non-secret configuration can be stored alongside secrets in Vault. ESC enhances Vault, and they work better together. Here is a summary of the key differences between Pulumi ESC and HashiCorp Vault: Feature Pulumi ESC Vault Architecture OSS License Yes, Apache License 2.0 No, Business Source License 1.1 Hosting/management Fully-managed SaaS service provided by Pulumi Cloud Offers hosted cloud service and self-hosting, which requires significant management overhead Key-value Store Yes Yes Open Ecosystem Yes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc. No, can only store and manage secrets store in Vault Developer Experience Editing and Authoring Yes, supports both GUI and powerful Document Editor with autocomplete, docs hover, and error checking Limited, has a JSON editor CLI Yes, available as `esc` CLI or `pulumi` CLI. Supports injecting application secrets as environment variables and modifying secrets. Limited, has a CLI but lacks the capabilities of injecting secrets as environment variables. The CLI is for modifying secrets only. Client SDKs Yes Yes Declarative Provider Yes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code. No Composability Yes, simple set up of hierarchical environments that inherit values from imported environments No, users have to create the structure themselves Versioning Yes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbers Limited, secrets are individually versioned Values Can Be of Type Secret and Plaintext Yes No, values can only be secrets Ability to See Existing Secrets Yes No Secret Referencing Yes, environments can import secrets from another environment. Secrets updated from the referenced environment will automatically propagate to downstream environments No Interpolate Values from Other Values Yes, new dynamic values can be constructed through string interpolation No Branching / Personal Configs Yes, environments can be forked for testing without rewriting entire environments and overriding specific values No Compare Secrets across Environment No No In-built Functions Yes, support for functions like `toJSON, fromJSON, fromBase64, toString` allows data manipulation for any scenario No Security and Compliance Audit Logs Yes Yes Encrypted Secrets Storage Yes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest. Yes, Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces. Access Controls Yes Yes Secure Dynamic Cloud Provider Credentials Yes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud. Limited, requires the usage of root account keys. Only available for AWS. OIDC Provider Yes, Pulumi Cloud can be used as an OIDC provider from the Pulumi SDK, CLI, UI, and `pulumi-service` provider. Limited, configuring Vault as an OIDC provider is only available from the CLI > This content is best viewed on the web. See: [Pulumi ESC vs HashiCorp Vault](https://www.pulumi.com/docs/esc/vs/vault/)