What happens to secrets after their lease duration has expired?

When a secret's lease duration expires in HashiCorp Vault, it undergoes an automatic deletion process. This is a key characteristic of Vault’s security and operational model, designed to ensure that sensitive data does not linger longer than necessary, mitigating the risk of unauthorized access.

The automatic deletion feature means that once the lease is no longer valid, the secret is unrecoverable through the Vault interface. This mechanism ensures that only secrets currently in use, and actively renewed, remain accessible. It emphasizes Vault's principle of dynamic secrets, where secrets are ephemeral in nature and tied to a specific lease time for enhanced security.

Given this operation, secrets do not remain accessible after their lease has expired nor do they enter a read-only state. They also do not become publicly available since security and controlled access are primary tenets of Vault's design. This strict management of secret leases directly contributes to better security hygiene and minimizes the risk of stale secrets, which could be targeted for exploitation.