HashiCorp Vault sync

VaultTerm can synchronize secrets with a HashiCorp Vault you already run. This keeps VaultTerm as your access broker and human-facing vault while letting machine workloads continue to read from HashiCorp Vault — without maintaining two disconnected copies by hand.

HashiCorp Vault sync is an Enterprise capability.

Authentication: AppRole

Connections authenticate to your Vault using AppRole. You configure the Vault address, a RoleID and SecretID, and the KV v2 mount and path that VaultTerm should read from or write to. VaultTerm exchanges the AppRole credentials for a Vault token at sync time rather than holding a long-lived root token. Connection setup and each sync are audited (HCV_CONNECTION_CREATED, HCV_SECRET_SYNCED).

Sync directions

A connection runs in one of three modes:

Mode	Behavior
Push	Write VaultTerm credentials out to a path in your Vault (KV v2).
Pull	Import secrets from your Vault into VaultTerm.
Bidirectional	Keep both sides in sync, with conflict detection when the same key changed on both.

In bidirectional mode, when a key has diverged on both sides between syncs, VaultTerm flags the conflict rather than silently overwriting either copy, so you can resolve it deliberately.

A note on Transit-sealed master keys

Syncing secret contents with HashiCorp Vault is separate from sealing VaultTerm’s master key under a Vault Transit key. The two can be used together or independently:

• KV v2 sync (this page) moves credential records between VaultTerm and your Vault.
• Transit seal wraps VaultTerm’s master key with a key that never leaves your Vault, so the master key is only usable when Vault unseals it. See Cryptography.

Choosing the seal mode and supplying the connection details is part of key configuration — see Keys and licensing configuration.

Related

• Cryptography — envelope encryption and the Transit-sealed master key.
• Keys and licensing configuration — where seal and key settings live.