Bang Le on September 20, 2019 at 12:51 am Your article is greatly awesome. I am working on secret management topic and have exactly the question about HashiCorp Vault and SOPS. Thank you a lot for your sharing. Best wishes for you. Reply
Wei Jiang on September 24, 2019 at 11:46 am A good point of view. I’ve been confused with the management of credentials for years. A few weeks ago I discovered SOPS and it is amazing!!! There used to be some git bases encryption tools that encrypt the files as a whole and yes, `git diff` breaks, and the encryption may be compromised and no way to revoke the key. Now I use Vault in K8S to provide encryption service for microservices, and for the real human, I suggest SOPS It looks like Sops has an option to push secrets to Vault, that’s a great improvement to the workflow !!! Reply
Drew R on December 20, 2019 at 1:32 pm You mention on-prem in criteria one but the solution appears to require constant access to the cloud provider to decrypt/encrypt if I’m not understanding things. How do you see this as fulfilling the criteria of on-prem solution? Reply
Chris McGrath on December 22, 2019 at 7:08 pm You are correct that using KMS on-premises would need constant access to the cloud provider to decrypt/encrypt, but really that’s just access to the internet, which is pretty normal. I never said the solution needed to work in an air-gapped environment that doesn’t have access to the internet. I can clone a git repo that has AWS KMS encrypted data to, a VM/CICD pipeline hosted on any cloud(Azure,AWS,GCP,DO,VPS), on-prem, or remote developer laptop. As long as the machine has internet access, can talk to the cloud provider, and the machine’s configured with AWS CLI creds, Mozilla SOPS can decrypt the data using a AWS KMS. (The point I’m trying to make with this second paragraph is that just because I use AWS KMS doesn’t mean I have to use EC2 Instances to talk to AWS KMS, the machine that talks to AWS KMS only needs to have internet access.) Reply
Shalom on January 3, 2020 at 4:00 pm Interesting read, I’m trying to look into deploying secrets management and it is an interesting tool to get familiar with. Could be very useful in some cases and at the same time missing some of the automated rotations & other tasks that vault does for you as well as dynamic secrets which are very useful. Reply
Jason Mars on January 12, 2020 at 3:58 pm I’d like to point out a few things. While your view is valid and using a cloud KMS is not a bad idea since most companies already host on a service that offers KMS such as AWS, Azure, GCP and more. But you seem to be missing the point of why companies choose Hashicorp Vault. Like the name suggests, “cloud KMS” is hosted in the cloud. The security, deployment, networking, and everything in between is handled by a hosting company. While these hosting companies host many mission critical servers for big name companies, many companies choose to host sensitive information themselves. This is where Hashicorp Vault comes in and gains popularity. With the ability to easily store secrets on premise, Hashicorp Vault attracts companies that are legally obligated to follow strict regulations and compliances that demand the best security practies. This more than often means ensuring not only the virtual security but also the physical security. Many government organizations, government contractors, security companies, and more will host a few on premise applications that may hold extremely sensitive data. Examples of these applications are Hashicorp Vault, Gitlab or Mattermost. Reply
Nathan Basanese on February 6, 2020 at 8:13 pm // , > Hashicorp Vault will have trouble achieving its goal of being a centralized secret repo for your organization This sentence describes what is wrong with this article. The guy missed the point. If all you’re using Vault for is a “secret repo” for your organization then yeah, go ahead and use Git? I don’t think this guy understands Dynamic Credentials. Another example of this lack of “getting it”: > Devs can store their secrets encrypted right next to and in sync with the version of the code that uses it. Tools like HashiCorp Vault change from using “Secrets as Code” to “Policy as Code,” where credentials are dynamically generated on the fly in response to application needs, rather than versioned alongside code. Secrets Management should not be tightly coupled to Application Source Code Management, which, in turn, should not be tightly coupled to Infrastructure Source Code Management. Like, when an application needs to scale up 5%, do you need to make a code commit? No. Likewise, there are changes to credentials that should not occur with the need for a Git commit. The response by Jason Mars is pretty on point. Anyway, maybe these concepts are a bit confusing. And I’m probably biased because I’ve become a Vault Nerd over the past few years. But just because I’m biased doesn’t necessarily mean I’m wrong. If there’s any interest I’ll try to clear up the advantages of treating Dynamic Credentials and Encryption as a data service, and “Policy as Code” vs “Secrets as Code.” Reply