GlassbreakGlassbreak

Glassbreak vs HashiCorp Vault: Recovery Compared

Glassbreak Team · Published 2026-07-17 · Facts checked 2026-07-17

HashiCorp Vault and Glassbreak both use Shamir's Secret Sharing to avoid a single point of compromise — but Vault applies it to unsealing a running secrets-management service, while Glassbreak applies it to a human team approving access to a secret. Every claim about Vault below links to HashiCorp's own public documentation, checked 2026-07-17.

What Vault's operational recovery solves

Vault protects stored data through a layered key hierarchy, per HashiCorp's Seal/Unseal documentation: most data is encrypted by a key inside a keyring, the keyring itself is encrypted by a root key, and the root key is encrypted by an unseal key. When Vault starts, it's "sealed" — it can access its physical storage but can't decrypt anything until the unseal key is reconstructed.

Rather than a single unseal key held by one person, Vault splits it using Shamir's Secret Sharing by default. Running vault operator init with no flags generates 5 key shares with a threshold of 3 required to reconstruct the root key — operators submit shares one at a time until the threshold is met. For deployments using auto-unseal (an HSM or a cloud KMS handles the actual unsealing), Vault instead generates recovery keys, also via Shamir's Secret Sharing — these can't decrypt the root key directly but authorize operations like re-keying or seal migration.

HashiCorp's own sealing best-practices documentation recommends PGP-encrypting each key shard (supported directly by init command flags), running quarterly unseal drills so operators can respond when needed, and tying key-holder access to enterprise user lifecycle management.

Where the two threshold models differ

Infrastructure operators vs. team members. Vault's Shamir shares are designed for a defined set of ops or security personnel responsible for keeping the service running — HashiCorp's best-practices page frames it explicitly as an operational discipline, with drills and lifecycle-management tie-ins. Glassbreak applies the same underlying primitive to a broader and different audience: any team member who needs to be part of an approval quorum, whether or not they're an infrastructure operator.

Unsealing a service vs. releasing a secret to people. Vault's threshold model exists to get Vault itself back into an operating state so it can resume serving secrets to applications. Glassbreak's threshold model exists to release a specific secret directly to the humans who need it — there's no intermediate "now the service can serve requests" step, because there's no service in between beyond a relay.

What's protected outside Vault. Vault's recovery model, as documented, is scoped to Vault's own key hierarchy — it doesn't cover credentials or runbooks that live outside Vault, including, notably, whatever your team uses to reach Vault's own operators in an emergency. Glassbreak covers that adjacent gap: the runbook for what to do if Vault itself is unreachable, the escalation contact list, and any recovery credential that isn't itself Vault-managed.

Alerting and escalation. Vault's documented Shamir process is a manual, operator-driven sequence: submit shares, reach the threshold, service resumes. Glassbreak adds emergency messaging, call trees, playbooks, and automatic escalation on top of the approval mechanism, so the right people are notified a break-glass event is happening rather than needing to already know to act.

Choose Vault if…

If your requirement is dynamic secrets management at infrastructure scale — database credentials, PKI, API tokens served to applications with policy-based access and audit logging — Vault, with its Shamir-based unseal and optional auto-unseal/recovery-key model, is the mature, purpose-built tool, and Glassbreak isn't trying to replace it. Teams running Vault should keep HashiCorp's documented operational practices (PGP-encrypted shards, drills, lifecycle-tied access) exactly as recommended.

Glassbreak is the better fit for what sits just outside Vault's scope: the human-facing incident response when Vault itself is down or its own unseal/recovery key holders are unreachable, and any credential or runbook that was never going to live inside Vault in the first place.

The comparison

HashiCorp VaultGlassbreak
What the threshold protectsVault's own unseal key / root key, or auto-unseal recovery keysA specific team secret, released directly to approvers
Default split5 shares, threshold 3 (configurable)T-of-N, T at least 2 (configurable per secret)
Who holds sharesInfrastructure operators, per documented best practiceAuthorized team members, not necessarily infrastructure operators
Recovery processManual share submission or auto-unseal via HSM/KMSQuorum approval relayed between devices
AlertingNot a documented feature of the seal processEmergency messaging, call trees, playbooks, automatic escalation
ScopeVault's own key hierarchy and the secrets it managesAny team secret, including credentials and runbooks outside Vault

Getting started

Glassbreak's Free plan supports one team of up to 5 members, 2 responder seats, and 10 encrypted secrets — enough to set up quorum recovery for the runbooks and credentials that sit outside your Vault deployment, including who to reach if Vault itself is down. Team ($15) and Business ($39) plans, billed per responder seat, add unlimited secrets, playbooks, and escalation rules. Read the full cryptographic design on the security page and the two-cloud infrastructure behind it on how it works, or see the broader category framing in Glassbreak vs Secrets Managers. Paid billing is rolling out during early access — you can request early access today, and the Free plan has no time limit while you wait.

Frequently asked questions

Is Glassbreak a Vault replacement?
No. Vault is built to serve dynamic, rotating secrets to applications and infrastructure at scale — database credentials, API tokens, PKI certificates. Glassbreak doesn't attempt any of that. It's built for the narrower case of secrets a human team needs to reach together, including the credentials that get Vault itself back online.
Does Vault already use quorum-based key splitting?
Yes, for its own unseal process. Per [HashiCorp's Seal/Unseal documentation](https://developer.hashicorp.com/vault/docs/concepts/seal), Vault splits its unseal key using Shamir's Secret Sharing, and [vault operator init defaults to 5 shares with a threshold of 3](https://developer.hashicorp.com/vault/docs/commands/operator/init) needed to reconstruct the root key. That's the same cryptographic primitive Glassbreak uses — applied to unsealing Vault itself, not to a team's day-to-day secrets.
What are Vault's recovery keys, and how are they different from unseal keys?
Per [HashiCorp's documentation](https://developer.hashicorp.com/vault/docs/concepts/seal), recovery keys come into play when Vault is configured for auto-unseal (via an HSM or cloud KMS) instead of manual Shamir unseal. Recovery keys are generated the same way, via Shamir's Secret Sharing, but they cannot decrypt the root key directly — they're used to authorize sensitive operations like re-keying or seal migration when the external auto-unseal mechanism is available.
If Vault already has Shamir-based recovery, why would a team also use Glassbreak?
Vault's Shamir shares are built for infrastructure operators unsealing a running service — [HashiCorp's own best-practices documentation](https://developer.hashicorp.com/vault/docs/configuration/seal/seal-best-practices) recommends PGP-encrypting each shard and running quarterly unseal drills, which assumes an operational team managing key material as an ops task. Glassbreak addresses a different, human-facing layer: alerting the right people that a break-glass event happened, coordinating approval among team members (not just infrastructure operators), and covering secrets outside Vault entirely — runbooks, recovery documents, and credentials for systems that aren't Vault-managed.

Stay Updated

Get product updates and security insights. No spam, unsubscribe anytime.

We respect your privacy. See our privacy policy.