HashiCorp Vault Use Cases in Indian Banking
In this blog, we will learn about the use cases of Hashicorp Vault in Indian Banking.
The Indian Banking Security Landscape
Modern Indian banks are no longer just traditional branch-driven institutions. They now operate:
- Core Banking Systems (CBS) with 24×7 uptime expectations
- APIs for fintechs, payment apps, and digital lending platforms
- UPI, NEFT, RTGS, and NPCI integrations that must be real-time and secure
- Mobile and Internet Banking portals that serve millions daily
- Regulated integrations with UIDAI, RBI, and GST systems
While the services are digital-first, the way secrets, credentials, and certificates are managed is still manual and fragmented. This creates operational inefficiency, compliance risk, and frequent outages.
Detailed Use Cases with Vault
- Core Banking & Databases
| Aspect | Current Challenge | With Vault |
|---|---|---|
| Credentials | Static DB credentials hardcoded in CBS apps | Vault generates dynamic DB credentials for every request |
| Rotation | Manual resets by DBAs are error-prone | Automatic credential expiry + rotation |
| Compliance | Auditors flag non-rotated passwords | Proves RBI mandate compliance |
Example: A CBS job connecting to Oracle no longer needs a static service account. Instead, Vault issues a credential valid for 30 minutes and revokes it after use.
- Digital Banking APIs
| Aspect | Current Challenge | With Vault |
|---|---|---|
| Key Sharing | Developers/partners receive API keys over email | Vault issues API keys with controlled TTLs |
| Exposure Risk | Keys often get leaked in logs/configs | Keys are centrally managed, not visible to users |
| Alerting | No visibility into key usage | Vault alerts on expiry/rotation events |
Example: When integrating with a fintech for credit scoring, the API key is not hard-coded but pulled dynamically from Vault at runtime.
- Certificates (Internet/Mobile Banking, UPI, Payment Switch)
| Aspect | Current Challenge | With Vault |
|---|---|---|
| Tracking | Excel-based tracking of expiry dates | Vault automates renewal |
| Downtime Risk | Expired cert → mobile banking outage | Zero downtime rotation |
| Audit | Manual evidence gathering | Immutable logs of issuance & revocation |
Example: A UPI switch certificate due to expire in 5 days is renewed automatically by Vault → preventing a critical outage.
- Third-Party Integrations (Fintech, RBI, NPCI, UIDAI)
| Aspect | Current Challenge | With Vault |
|---|---|---|
| Key Exchange | Shared via pen drive/email | Vault ensures controlled exchange |
| Visibility | No central audit trail | Complete visibility for regulators |
| Security | Keys are sometimes misused by partners | Role-based access controls |
Example: NPCI integration keys are distributed through Vault, ensuring usage can be traced to a specific team or partner.
- Application Development (OpenShift, CI/CD, Internal IT)
| Aspect | Current Challenge | With Vault |
|---|---|---|
| Secrets Storage | Developers put secrets in config/code | Vault injects secrets dynamically |
| Compliance | RBI audits flag non-compliant coding | Enforces secure coding practice |
| Speed | Manual config slows deployments | Automated secret injection accelerates CI/CD |
Example: A Kubernetes pod running in OpenShift requests its DB password from Vault dynamically rather than from a hardcoded secret.yaml file.
- Disaster Recovery & Business Continuity
| Aspect | Current Challenge | With Vault |
|---|---|---|
| Secrets Sync | DR site is often out of sync | Vault’s DR replication keeps sites aligned |
| Failover | Complex manual switch | Seamless failover |
| Auditability | No evidence of DR test success | Vault logs prove DR readiness |
Example: During a DR drill, Vault ensures that secrets are instantly available in the DR site without DBA intervention.
Practitioner Takeaway
For IT, security, and DevOps teams, HashiCorp Vault removes the daily pain of secret sprawl. Instead of firefighting expired certs, leaked passwords, or non-compliant configs, Vault provides:
- Dynamic, short-lived credentials
- Automated PKI lifecycle
- Centralized governance and audit trails
