Classification: Feature request (usability / configuration improvement)
Currently, Galaxy's credential support (used by tools via CredentialsService) stores secrets through the vault system, which requires admins to explicitly create a vault_conf.yml with a type: database entry and Fernet encryption keys. Without this config, VaultFactory.from_app() in lib/galaxy/security/vault.py returns a NullVault that throws InvalidVaultConfigException on any read/write.
As tools increasingly adopt the credentials framework (e.g., PR #21643 adding test credential support), every Galaxy instance that wants to use these tools needs manual vault configuration — a barrier that shouldn't exist for a core feature.
The DatabaseVault backend is self-contained (it uses the existing Galaxy database plus Fernet encryption keys), so it can be enabled by default without requiring any external service.
Modify VaultFactory.from_app() to fall back to a DatabaseVault instead of NullVault when no vault config file exists. Auto-generate a Fernet key on first use and persist it to a known location (e.g., <data_dir>/vault_key), or add a new config option like vault_encryption_key that can be auto-populated. The existing NullVault path should only apply if an admin explicitly disables the vault. Also update is_vault_configured() so that downstream checks (object store templates, file source templates) recognize the auto-configured vault.
Medium