Vault - a repository of secrets from recognized "solvers" of modern infrastructure problems - Hashicorp, authors of Vagrant, Consul, Terraform, Otto, etc. Secrets are stored in key-value form. The storage is accessed exclusively through the API.
Main features of Vault:
All data is stored in an encrypted container. Getting the container itself does not expose the data.
Flexible access policies. You can create as many tokens to access and manage secrets as you need. And give them the permissions that are necessary and sufficient to perform the work.
Ability to audit access to secrets. Each request to Vault will be logged for later auditing.
Support for encryption-decryption of data without saving them. This can be convenient for encrypted data transmission over insecure communication channels.
Full secret lifecycle support: create/revoke/expire/renew.
Uberfeature, the importance of which is difficult to overestimate, is the ability to create your own CA (Certificate Authority) to manage self-signed certificates within your infrastructure.
The /cubbyhole backend, which allows you to create your own secret storage that is not available even to other root tokens.
Ready-made modules and plugins for popular configuration management systems.
For us, Vault solves the problems of transferring secrets over insecure channels, the problems of fault-tolerant storage of secrets, as well as the problems of flexible access sharing and auditing. I plan to use Vault as my own CA.