ArmorVault — Managed HashiCorp Vault Enterprise
HashiCorp Vault Enterprise. Fully Managed. Your Secrets Stay Yours.
ArmorVault delivers a dedicated, cryptographically isolated Vault Enterprise namespace — provisioned in hours, operated by Armorstack, priced by the month. No cluster to run. No platform team to hire. No standing access from anyone.
The Secrets Problem at Scale
Most mid-market organizations are running Vault the hard way — a self-managed cluster someone stood up three years ago, maintained by one engineer who has since left, with root token rotation that hasn’t happened since deployment. Or they’re managing secrets in environment variables, CI/CD pipelines, and shared password managers — and calling it good enough.
It isn’t good enough. Credential-based intrusion is the leading initial access vector in enterprise breaches. The gap isn’t awareness — it’s operational capacity. Running Vault Enterprise correctly requires dedicated expertise: HA configuration, namespace isolation, audit pipeline management, token lifecycle hygiene, DR failover, and compliance evidence collection. That’s a full-time platform engineering function most organizations can’t justify.
ArmorVault closes that gap without requiring you to build it.
A Dedicated Vault Enterprise Namespace. Operated by Armorstack.
ArmorVault isn’t shared infrastructure. Every customer gets their own isolated Vault Enterprise namespace — a ns/{slug} boundary where your secrets, policies, and access controls live completely separately from every other tenant on the platform.
Armorstack manages the cluster layer: high availability, replication, certificate rotation, operating system patching, backup, and SOC 2-aligned operational procedures. You manage what’s inside your namespace: your secrets, your policies, your authentication configuration.
That boundary is not just contractual. It’s architectural. Our platform operators work through just-in-time tokens scoped to your namespace, with every issuance logged to AWS SSM for privileged access review. Vault stores no persistent standing credentials for Armorstack personnel.
Dedicated, isolated, provisioned to your specifications. No shared secret stores.
BYOK (Bring Your Own KMS Key) available on Enterprise tier. Armorstack cannot decrypt your secrets when BYOK is enabled.
Full Vault audit logs delivered to your S3 bucket, Cloudflare R2, or syslog target — in your account, under your retention policy.
From Contract to Operational in Hours
1. Intake & Configuration
You specify your authentication method (AppRole, OIDC/SSO, Kubernetes, or Active Directory/LDAP), audit sink destination, compliance framework, and retention requirements. Our provisioning wizard scaffolds the entire Terraform configuration.
2. Namespace Provisioned
Armorstack applies the configuration through Terraform Cloud. Your Vault Enterprise namespace is created, your chosen auth method is mounted and configured, your audit device is wired to your sink, and your access policies are in place.
3. Credential Ceremony
You receive your initial AppRole credentials or OIDC configuration through a guided onboarding flow. No shared secrets, no emailed credentials — your initial access is generated live and displayed once.
4. Ongoing Operations
Armorstack monitors platform health, applies Vault version updates, maintains audit pipeline continuity, and provides break-glass emergency access under dual-control procedures. You operate your namespace through the Vault API, Vault Agent, or the ArmorVault portal.
What’s Included at Every Tier
| Capability | Detail |
|---|---|
| Secret engines | KV v2, PKI, Database, AWS, SSH, Transit (encryption-as-a-service) |
| Authentication methods | AppRole, OIDC (Okta, Azure AD, Google Workspace), Kubernetes, LDAP/Active Directory |
| Audit logging | All requests logged; delivered to S3, Cloudflare R2, or syslog |
| Audit retention | Customer-configurable; default 365 days |
| High availability | Multi-node Vault Enterprise cluster with automatic leader failover |
| Replication | DR and performance replication for Enterprise tier |
| Backup & recovery | Daily namespace configuration backup; 30-day retention; RTO 4h |
| Monitoring | Prometheus metrics endpoint; Grafana dashboards; platform health portal |
| Self-service portal | AppRole credential rotation, namespace health, TFC run management |
| BYOK encryption | Customer-managed AWS KMS key for namespace encryption (Enterprise) |
| Support | P1 response within 1 hour; Zendesk ticketing portal |
Built to Satisfy the Frameworks Your Auditors Care About
ArmorVault is designed for regulated mid-market organizations. Compliance framework selection at onboarding tightens token TTLs, audit retention requirements, and operational controls to match your audit obligations.
- SOC 2 Type II — Audit pipeline continuity, privileged access review (PAR) evidence, platform change management
- HIPAA — Namespace isolation, encryption at rest and in transit, BAA available, operator access controls
- PCI DSS — Hardened token lifetimes (4h maximum), full cardholder data environment audit logging
- NERC CIP — Operational technology secrets separation, compliance-aware access TTL enforcement
- CMMC 2.0 — CUI handling requirements, audit evidence collection, access review documentation
Evidence delivery: Every privileged access event generates a structured SSM audit record. Monthly PAR (Privileged Access Review) reports are available on demand, formatted for SOC 2 CC6.3 / CC6.6 evidence submission.
Straightforward Monthly Pricing. No Seat Licenses. No Usage Surprises.
Pricing is based on active client entities — the number of machines, applications, or services authenticating to your namespace.
Foundation
- Up to 25 active client entities
- AppRole or OIDC authentication
- S3 audit logging
- Standard support (P2: 4h response)
One-time onboarding fee: $7,500
Best for: small engineering teams, single-application secrets management, initial Vault adoption.
Professional
- Up to 100 active client entities
- AppRole, OIDC, or Kubernetes auth
- S3 or Cloudflare R2 audit logging
- SOC 2 or HIPAA compliance mode
- Priority support (P1: 1h response)
One-time onboarding fee: $15,000
Best for: multi-application environments, regulated deployments, teams replacing self-managed Vault.
Enterprise
- 250+ active client entities
- All auth methods incl. LDAP/AD
- BYOK (Bring Your Own KMS Key)
- All compliance frameworks
- Performance replication
- Dedicated account management
One-time onboarding fee: $25,000
Best for: enterprise credential programs, multi-team deployments, full cryptographic separation.
Entity overage: $25/entity/month above tier limit. Annual contracts available. Contact us for multi-tenant and reseller pricing.
Why “Managed” Doesn’t Mean “They Can Read Your Secrets”
The objection every CISO raises: if Armorstack runs the infrastructure, can Armorstack read our secrets? The architecture is designed to answer that question with a provable no.
Namespace isolation
Your secrets exist in a Vault Enterprise namespace cryptographically separated from every other tenant. There is no administrative path across namespace boundaries.
BYOK
On Enterprise tier, you supply an AWS KMS key that Armorstack never holds. Vault uses your key to encrypt your namespace’s secrets at rest. Without your KMS key, the data is ciphertext.
Just-in-time operator access
When Armorstack platform engineers need access to your namespace (for example, during a P1 incident), they issue a token scoped to your namespace with a hard 8-hour TTL. That token is generated from a break-glass Vault role, requires dual-control authorization (a named approver), and every issuance is permanently logged to AWS SSM. There are no standing operator credentials.
Audit delivery to your account
Vault audit logs are shipped to your S3 bucket or your Cloudflare R2 bucket — in your cloud account. Armorstack does not hold copies. You can verify every operation independently.
ArmorVault Is the Right Fit When…
- Your team evaluated HashiCorp Vault Enterprise and concluded the operational burden doesn’t fit your headcount.
- You need a defensible secrets management program for a SOC 2, HIPAA, PCI, or CMMC audit and need it operational this quarter — not next year.
- You’re running AI agents, automated pipelines, or microservices that need dynamic, short-lived credentials instead of static API keys stored in environment files.
- You had a secrets-related incident (or near-miss) and need to demonstrate to your board that the problem is solved.
- You’re already using HashiCorp Vault but it’s understaffed, under-monitored, and the person who built it has left.
ArmorVault is not the right fit if you have a dedicated Vault platform engineering team, require on-premises air-gapped deployment, or need Vault OSS Community Edition pricing.
Part of the Armorstack SENTRY Portfolio
ArmorVault is the managed infrastructure offering within the SENTRY cybersecurity portfolio. It pairs with:
- SENTRY MDR — Threat detection and response that can ingest Vault audit logs as a signal source for credential-based attack detection.
- SENTRY Pulse — AI-powered security observability, including detection of secrets exfiltration and unauthorized namespace access patterns.
- VERITY vCISO — Strategic advisory for organizations building a full credential governance program around ArmorVault.
Existing SENTRY and CORE clients receive preferred onboarding pricing.
Accepting New Clients Now
ArmorVault is in production and accepting new clients. Onboarding typically completes within one week of contract execution — namespace provisioned, credentials issued, audit pipeline live.
What happens when you reach out:
- 30-minute discovery call to confirm fit and scope
- Pilot proposal with recommended tier and compliance mode
- MSA execution + onboarding fee
- Namespace provisioned within 5 business days
Contact: [email protected] · 877-890-5508
Request a Pilot
The pilot is your first namespace — provisioned, isolated, and operational within a week.
Explore the Armorstack SaaS portfolio
Purpose-built security software engineered inside Armorstack.