-
Notifications
You must be signed in to change notification settings - Fork 1
Competitor: Hashicorp Vault
Kyle Kamperschroer edited this page Jan 26, 2016
·
1 revision
A secrets service deployed as a cluster. Each client has an identity and can call to the secret service to obtain the secret they need. Secrets are given out based on policies. Auditing is built in. Revoking of secrets accessed by a bad actor is a built in feature. Really, the best solution I've found so far. It's complexity and lack of commercial support is the biggest downside.
- It's free and open source
- Rolling of secrets
- Auditing
- Integration with Github, LDAP, and much more
- Tons of extensibility with storage backends (consul being the obvious choice)
- It's complicated to learn
- No UI
- Bootstrapping difficulty
- The "sealing" problem. Encryption keys only stored in memory and must be provided by multiple actors at startup.
- If the cluster goes down, the Vault is sealed and your services will no longer have access.
- Single point of failure if the cluster goes down