HCP Vault Secrets Retirement Before June 30, — when and how should I migrate?
Teams still storing app secrets in HCP Vault Secrets need to choose a migration target before the service retirement window closes. As of 2026-03-19, HashiCorp says HCP Vault Secrets is retired as of 2026-06-30 in the Flex pricing table, while the Help Center says end of life is the earlier of Flex contract expiry or 2026-07-01.
Blockers
- package/hcp-vault-secrets — EOL 2026-06-30
- Migration changes the operating model from HCP IAM roles and apps to admin tokens, policies, secrets engines, and namespaces
- Lock-in via capability/namespaces
- Lock-in via capability/disaster-recovery-replication
- Lock-in via capability/performance-replication
- Lock-in via capability/secrets-sync
Who this is for
- low-ops
- cost-sensitive
- enterprise
- compliance
Candidates
Migrate to HCP Vault Dedicated
HCP Vault Dedicated is HashiCorp's managed Vault Enterprise offering on HCP and is the primary migration target named in the HCP Vault Secrets retirement guidance. As of 2026-03-19, the HCP changelog shows Vault 1.21.2 rolling out on AWS and Azure for HCP Vault Dedicated clusters. As of 2026-03-19, the official Flex pricing table lists Development clusters at "$0.030/hr" and Standard clusters starting at "$1.578/hr" for small size with Silver Support, with Plus small starting at "$1.843/hr"; billing also adds per-client charges starting at "$112.168/month" for the first 1-9 clients on Silver Support. It also preserves enterprise-only capabilities that Community lacks, including namespaces, disaster recovery replication, performance replication, and secrets sync.
When to choose
Best for "enterprise" + "compliance" + "low-ops" teams, especially if HCP Vault Secrets was production infrastructure rather than a dev-only convenience. This is the safer default when you need managed operations, single-tenant clusters, and enterprise isolation and recovery features that HashiCorp documents as unavailable in Community.
Tradeoffs
You keep a managed HashiCorp service and gain Vault Enterprise capabilities, but the cost floor is materially higher than HCP Vault Secrets and billing includes both cluster hours and client counts. Migration also changes the operating model from HCP IAM roles and apps to admin tokens, policies, secrets engines, and namespaces.
Cautions
Do not treat this as a like-for-like SKU swap. HashiCorp's migration guide calls out model changes such as "App" to secrets engine, HCP IAM roles to Vault policies, and HCP projects to Vault namespaces; client code must handle the Vault API and often the "X-Vault-Namespace" header. Also note the HCP changelog says workload identity federation for HCP Vault Dedicated cluster auth methods and secrets engines is not currently supported.
Migrate to Vault Community Edition
Vault Community Edition is the self-managed open source Vault deployment model that HashiCorp lists as the other official migration path from HCP Vault Secrets. As of 2026-03-19, HashiCorp's Vault edition guide says Community supports a self-managed deployment model only, while HCP-managed deployment is reserved for Enterprise via HCP Vault Dedicated. The same guide says Community lacks namespaces, disaster recovery replication, performance replication, secrets import, and secrets sync. HashiCorp's own edition tutorial states Community may not meet production requirements and is a valid fit for proof-of-concept and non-production developer use.
When to choose
Best for "cost-sensitive" teams that can accept self-management and do not need enterprise isolation, sync, or disaster recovery features. It is the stronger choice only when avoiding HCP recurring spend matters more than reducing operational risk.
Tradeoffs
There is no HCP managed-service bill, but your team becomes responsible for design, deployment, security, reliability, scaling, and upgrades. You also give up enterprise features that often matter once secrets management becomes shared production infrastructure.
Cautions
HashiCorp's docs explicitly route Community users into self-managed production guidance such as integrated storage, hardening, and Kubernetes deployment tutorials. That means the migration is not just data movement; it also creates ownership for cluster topology, storage, unseal strategy, backup, and operations that HCP Vault Dedicated would otherwise absorb.
Try with your AI agent
$ npm install -g pocketlantern $ pocketlantern init # Restart Claude Code, Cursor, or your MCP client, then ask: # "HCP Vault Secrets Retirement Before June 30, — when and how should I migrate?"