I consider to use HCP vault to store and access my secrets,
yet I can’t understand whether the cloud provider (wherever HCP Vault is running) and HashiCorp (as vendors) have access to the encryption key (so they can access my secrets).
If they don’t have access - could you explain why ?
If there’s a resolution to avoid they have access to my key - could you explain how to gain it?
Hashicorp HCP is a cloud platform, you don’t need to worry about which provider they’re using underneath that – they’re responsible for it’s up time and availability. My guess is that they’re using AWS as a primary and probably have GCP as a DR or backup site – but it matters not unless your company’s data has regional restrictions, then you should talk to Hashicorp to see if HCP is a viable choice.
Hashicorp does not have access to your data, as you own your own encryption keys. You can also rotate them whenever you like and it is recommended that you do as often as it is feasible and safe to do.
You can read about the data security while in transit with HCP here to see why it is secure in communication as well: Security Model | HashiCorp Cloud Platform