diff --git a/.zuul.yaml b/.zuul.yaml
index e9ae8f7e2..2de1483d0 100644
--- a/.zuul.yaml
+++ b/.zuul.yaml
@@ -61,6 +61,14 @@
       services: barbican-dogtag,tempest,rabbit,mysql,key
       plugin: dogtag
 
+- job:
+    name: barbican-vault-devstack-functional
+    parent: barbican-devstack-functional-base
+    voting: false
+    vars:
+      services: barbican-vault,tempest,rabbit,mysql,key
+      plugin: vault
+
 - job:
     name: barbican-kmip-devstack-functional
     parent: barbican-devstack-functional-base
@@ -188,3 +196,4 @@
     experimental:
       jobs:
         - barbican-simple-crypto-devstack-tempest-py35
+        - barbican-vault-devstack-functional
diff --git a/devstack/lib/barbican b/devstack/lib/barbican
index 03fb8340b..de154da9b 100644
--- a/devstack/lib/barbican
+++ b/devstack/lib/barbican
@@ -570,5 +570,49 @@ function install_dogtag_components {
 }
 
 
+# Vault functions
+# ----------------
+
+function install_vault {
+    wget https://releases.hashicorp.com/vault/0.10.1/vault_0.10.1_linux_amd64.zip
+    unzip vault_0.10.1_linux_amd64.zip
+    sudo mv vault /usr/bin
+    install_package screen
+    screen -d -m bash -c "vault server -dev -dev-listen-address=${HOST_IP}:8200 2>&1 >vault.log"
+
+    # get the root_token_id, use tempfile for counter
+    TOKEN_ID_FILE="vault_root_token_id"
+    touch $TOKEN_ID_FILE
+
+    COUNTER=0
+
+    while [ ! -s $TOKEN_ID_FILE ] && [ "$COUNTER" -lt "20" ]
+    do
+        sleep 2
+        awk '/Root Token:/ {print $3}' vault.log > $TOKEN_ID_FILE
+        COUNTER=$[COUNTER + 1]
+    done
+
+    if [ ! -s $TOKEN_ID_FILE ]; then
+        echo "Wah! Need to throw an error code here!"
+    fi
+
+    #debug code follows:
+    export VAULT_ADDR="http://${HOST_IP}:8200"
+    vault status
+    vault kv put secret/hello foo=world
+    vault kv get secret/hello
+    vault kv delete secret/hello
+
+}
+
+function configure_vault_plugin {
+    root_token_id=`cat vault_root_token_id`
+    iniset $BARBICAN_CONF secretstore enabled_secretstore_plugins vault_plugin
+    iniset $BARBICAN_CONF vault_plugin root_token_id $root_token_id
+    iniset $BARBICAN_CONF vault_plugin vault_url "http://${HOST_IP}:8200"
+    iniset $BARBICAN_CONF vault_plugin use_ssl "false"
+}
+
 # Restore xtrace
 $XTRACE
diff --git a/devstack/plugin.sh b/devstack/plugin.sh
index 83ddb81a4..122862b1e 100644
--- a/devstack/plugin.sh
+++ b/devstack/plugin.sh
@@ -23,6 +23,10 @@ if is_service_enabled barbican; then
             echo_summary "Installing Dogtag"
             install_dogtag_components
         fi
+        if is_service_enabled barbican-vault; then
+            echo_summary "Installing Vault"
+            install_vault
+        fi
     elif [[ "$1" == "stack" && "$2" == "post-config" ]]; then
         echo_summary "Configuring Barbican"
         configure_barbican
@@ -34,6 +38,10 @@ if is_service_enabled barbican; then
             echo_summary "Configuring Dogtag plugin"
             configure_dogtag_plugin
         fi
+        if is_service_enabled barbican-vault; then
+            echo_summary "Configuring Vault plugin"
+            configure_vault_plugin
+        fi
         configure_barbicanclient
 
         # Configure Cinder, Nova and Glance to use Barbican