HashiCorp confirmed that HCP Vault Secrets reaches end-of-life on July 1, 2026. After that date, the service will be shut down — no data access, no API calls, no exports.
If your team is using HCP Vault Secrets today, you have a hard deadline. This post covers what HCP Vault Secrets was, why it’s being shut down, and what a practical migration looks like.
What HCP Vault Secrets was
HCP Vault Secrets was HashiCorp’s managed secrets product — a cloud-hosted service for storing and syncing application secrets. Unlike self-hosted Vault (the open-source product), HCP Vault Secrets handled infrastructure management, provided a web UI, and offered sync integrations with AWS, GCP, Azure, and GitHub Actions.
It was positioned as the “easy” Vault: no clusters to manage, no unsealing ceremonies, no Vault agents to deploy. You stored secrets in the UI and referenced them via the SDK or CLI.
Why it’s shutting down
HashiCorp hasn’t published a detailed rationale, but the context is clear. After IBM’s acquisition of HashiCorp in 2024, the portfolio is being rationalized. HCP Vault Secrets competed with IBM’s own secrets management offerings and with the core self-hosted Vault product that enterprises pay significant license fees for.
The managed “easy” tier competes with the upsell to enterprise Vault. It’s going away.
Who this affects
HCP Vault Secrets was popular with:
- Early-stage startups that needed a simple secrets store without devops overhead
- Teams using Terraform Cloud that wanted native HCP integration
- Developer-led teams that didn’t want to manage a Vault cluster
- Organizations that specifically wanted the sync-to-GitHub-Actions feature
If any of that describes your setup, July 1 is your hard stop.
Migration options
Option 1: Self-hosted Vault OSS
The most obvious migration is to HashiCorp Vault open-source. You own the cluster, you own the data, there’s no service shutdown risk.
The tradeoff: you’re now managing infrastructure. Vault OSS requires a properly sealed cluster, backup procedures, TLS configuration, and ongoing maintenance. For small teams, this is often more operational burden than the problem was worth.
Vault OSS also doesn’t have native MCP integration — you’d need to build or maintain a Vault-to-MCP bridge yourself.
Option 2: AWS Secrets Manager / GCP Secret Manager / Azure Key Vault
Cloud-native secrets managers are the enterprise default. If you’re already deep in one cloud provider, this is likely the lowest-friction migration.
The downsides: cloud secrets managers are designed for application workloads, not for developer workflows. They don’t have MCP integration. They require IAM configuration that’s easy to misconfigure. And they don’t work well for teams that work across multiple cloud providers.
Option 3: 1Password Secrets Automation
1Password extended beyond password management into developer secrets. Their Secrets Automation product is well-designed and has good CI/CD integrations.
The limitation: it’s built around the 1Password data model, which doesn’t naturally map to the app/environment/secret hierarchy that modern multi-service deployments need. MCP integration doesn’t exist natively.
Option 4: OpaqueVault
OpaqueVault is the option specifically designed for teams using AI coding agents.
The key differences:
Zero-knowledge encryption. HCP Vault Secrets stored your secrets server-side in a way that HashiCorp could decrypt. OpaqueVault encrypts client-side before anything reaches the server — the API stores ciphertext only, with no decryption capability.
MCP-native. OpaqueVault runs as an MCP server alongside your AI agent. Instead of configuring credentials in your IDE config files, you tell Claude to use vault_run to execute commands that need credentials. The AI never sees the plaintext values.
Multi-app namespacing. Secrets are organized as app/environment/name — my-saas/production/DATABASE_URL, my-saas/staging/DATABASE_URL. This maps directly to how teams actually manage secrets across services and environments, without the flat-namespace collision problems that plague simpler tools.
Post-quantum cryptography. OpaqueVault uses ML-KEM-768 + X25519 hybrid key encapsulation. The same encryption that protects your secrets today will hold up against quantum adversaries.
The migration path from HCP Vault Secrets
If you’re moving from HCP Vault Secrets to OpaqueVault, the process is:
1. Export your secrets before July 1
HCP Vault Secrets has an export feature in the UI and via the CLI. Run the export now, not in June. Service sunset notices often come with “export by X” deadlines that are earlier than the EOL date.
# Export using the HCP CLIhcp vault-secrets secrets list --app=<app-name> --format=json > secrets-export.jsonDo this for every app in your HCP Vault Secrets organization.
2. Install OpaqueVault and initialize your vault
# Installbrew install opaquevault-brew/tap/ov
# Initialize with master passwordov vault initThe vault is initialized locally. Your master password is never sent anywhere — it derives the Key Encryption Key via Argon2id, client-side.
3. Create your secret namespace structure
Map your HCP Vault Secrets apps to the OpaqueVault app/environment/name hierarchy:
# For each secret in your exportov secret create my-saas/production/DATABASE_URLov secret create my-saas/production/STRIPE_SECRET_KEYov secret create my-saas/staging/DATABASE_URL4. Update your AI agent configuration
Add OpaqueVault as an MCP server in your IDE config:
{ "mcpServers": { "opaquevault": { "command": "ov", "args": ["mcp", "serve"] } }}Remove any raw credentials that were previously in the config. They don’t need to be there anymore.
5. Update CI/CD integrations
For GitHub Actions, replace HCP Vault Secrets sync with the OpaqueVault CLI:
- name: Fetch secrets run: | ov secret export my-saas/production > .env env: OV_SESSION_TOKEN: ${{ secrets.OV_SESSION_TOKEN }}Timeline
- Now: Export all HCP Vault Secrets data
- April–May: Migrate to your chosen replacement, test thoroughly
- June 1: Should be fully migrated and not relying on HCP Vault Secrets
- July 1: HCP Vault Secrets EOL — service shuts down
The July 1 deadline is fixed. Start the migration now.
OpaqueVault is an MCP-native, zero-knowledge secret vault. Encrypted client-side, stored as ciphertext, injected into AI agent workflows without the agent ever seeing plaintext values.