Skip to content

Competitor: Hashicorp Vault

Kyle Kamperschroer edited this page Jan 26, 2016 · 1 revision

What are they?

A secrets service deployed as a cluster. Each client has an identity and can call to the secret service to obtain the secret they need. Secrets are given out based on policies. Auditing is built in. Revoking of secrets accessed by a bad actor is a built in feature. Really, the best solution I've found so far. It's complexity and lack of commercial support is the biggest downside.

Where does their secrets solution excel?

  • It's free and open source
  • Rolling of secrets
  • Auditing
  • Integration with Github, LDAP, and much more
  • Tons of extensibility with storage backends (consul being the obvious choice)

Where does their secrets solution fall short?

  • It's complicated to learn
  • No UI
  • Bootstrapping difficulty
  • The "sealing" problem. Encryption keys only stored in memory and must be provided by multiple actors at startup.
    • If the cluster goes down, the Vault is sealed and your services will no longer have access.
  • Single point of failure if the cluster goes down

Clone this wiki locally