I disagree. Vault is absolutely more work deploy and use, but it’s far easier to automate processes with it. More importantly, you can have workflows where credentials are created and stored without a human ever seeing them, and are never stored on the hosts your applications run on. Vault can also do a lot more than just simple key-value storage of credentials, like creating temporary database credentials or IAM users. It makes it possible to rotate credentials much faster - hit a vault endpoint and/or restart affected services opposed to committing new secrets and waiting for an entire configuration management run to end.
It’s particularly useful when your configuration is distributed across multiple repositories (urgh, microservices) - you can have completely separate layers for configuring credentials and deploying applications that use them using Vault as the interface between them. If I have some ansible that configures MySQL instances, it doesn’t have to also deploy applications or be in the same repository as code that does.
I do recommend taking the approach the author describes at smaller scales - it’s a lot less effort for a reasonably similar result. The only reason I think starting with Vault may be worth it is that - I think - it encourages better application design and secrets management, and it can be harder to transition to later on.
I’ve spent weeks trying and failing to implement Vault at $job, so I am sympathetic to the argument. But SOPS + KMS are simply not a replacement for Vault unless your needs are very simple. We already do basically this, but Vault offered a bunch of useful things that we couldn’t do.
The biggest value of Vault is the plugins you can enable to help automate more infrastructure. I want to automatically provision things like Certificates and SSH keys, with a short lifespan. I want to automatically rotate keys without manual intervention.
If all you need are encrypted secrets checked into git, then yes. Use this. Vault was not for you.
I’m one of the creators of Vault. I read this back when it was posted and I’d be happy to share my thoughts. I’ll note its worth reading through to the last paragraph and into the comments, the title is a bit bait-y and the article does a better job than the title gives itself credit for.
Broadly speaking, if you’re looking at Vault to solve a specific problem X for a specific consumption type Y on a specific platform Z, then it probably is overkill (I wouldn’t say “overhyped” :)). i.e. “encrypted key/value via env vars on AWS Lambda”. “X via Y on Z.” The power of Vault is: multiple use cases, multiple consumption modes, and multiple platforms supported with a single consistent way to do access control, audit logging, operations, etc.
I can’t stress that “single consistent way to do access control, audit logging, operations, etc.” enough. Multiple security use cases dangling off that consistency is really important as soon as you hit N=2 or N=3 security use cases.
If you need say… encrypted KV and encryption-as-a-service and dynamic just-in-time credentials and a PKI system (certificate), and you need this as files and as env vars, and you need this on Kubernetes and maybe also on EC2, then Vault is – in my totally biased opinion – going to blow any other option out of the water.
That’s a somewhat complex use case but its something Vault excels at. For simpler use cases, Vault is making more and more sense as we continue to make Vault easier to use. For example, we now provide a Helm chart and official K8S integration so you can run Vault on K8S very easily. And in this mode, developers don’t even need to know Vault is there cause their secrets show up as env vars and files just like normal K8S secrets would.
Also, this article is from June 2019 and in 10 short months we’ve made a ton of progress on simplifying Vault so it gets closer to that “X via Y on Z” use case. Here are some highlights I can think of off the top of my head but there are definitely more, this is just from memory:
We have integrated storage as an option now, so you don’t need separate storage mechanisms.
Our learn guides went from basically zero to lots of content which makes it much easier to learn how to use Vault: https://learn.hashicorp.com/vault
I agree. Vault is a glorified key value store with a lot of overkill features you’ll probably never use. Sops is a super useful utility that works well with Git-based ops, and it’s something you can grok in about 30 seconds. There’s little need for all the complexity Vault introduces unless you want to create job security for yourself.
I disagree. Vault is absolutely more work deploy and use, but it’s far easier to automate processes with it. More importantly, you can have workflows where credentials are created and stored without a human ever seeing them, and are never stored on the hosts your applications run on. Vault can also do a lot more than just simple key-value storage of credentials, like creating temporary database credentials or IAM users. It makes it possible to rotate credentials much faster - hit a vault endpoint and/or restart affected services opposed to committing new secrets and waiting for an entire configuration management run to end.
It’s particularly useful when your configuration is distributed across multiple repositories (urgh, microservices) - you can have completely separate layers for configuring credentials and deploying applications that use them using Vault as the interface between them. If I have some ansible that configures MySQL instances, it doesn’t have to also deploy applications or be in the same repository as code that does.
I do recommend taking the approach the author describes at smaller scales - it’s a lot less effort for a reasonably similar result. The only reason I think starting with Vault may be worth it is that - I think - it encourages better application design and secrets management, and it can be harder to transition to later on.
I’ve spent weeks trying and failing to implement Vault at $job, so I am sympathetic to the argument. But SOPS + KMS are simply not a replacement for Vault unless your needs are very simple. We already do basically this, but Vault offered a bunch of useful things that we couldn’t do.
The biggest value of Vault is the plugins you can enable to help automate more infrastructure. I want to automatically provision things like Certificates and SSH keys, with a short lifespan. I want to automatically rotate keys without manual intervention.
If all you need are encrypted secrets checked into git, then yes. Use this. Vault was not for you.
In the exact words of Mitchell (vault cofounder) over on the orange hellscape https://news.ycombinator.com/item?id=23032499
I agree. Vault is a glorified key value store with a lot of overkill features you’ll probably never use. Sops is a super useful utility that works well with Git-based ops, and it’s something you can grok in about 30 seconds. There’s little need for all the complexity Vault introduces unless you want to create job security for yourself.
I am late to the party, but anybody have opinion/experience on https://github.com/pinterest/knox ?
Secrets and security is hard. Done well, it is complicated. Done right, it takes time.
About 4 years ago, I reviewed systems and I thought Keywhiz by Square was the best, but required the most serious setup.