HashiCorp Vault is a powerful secrets management tool that is well suited to automating the creation, distribution, and destruction of secrets. However, if your goal is to secure access to sensitive systems, a secrets store is not the only approach. In this blog post we’ll look at a few alternatives, with my take on the strengths and weaknesses of each approach. First, however, a quick matrix comparison of features may give you the information you’re looking for right off the bat.
|Feature||HashiCorp Vault||HashiCorp Vault Open-Source||Homebrew||strongDM|
|Programmatic access to secrets||✔️||✔️||❓|
|Ephemeral/dynamic secret generation||✔️||✔️||❓|
|Automatable key rotation||✔️||✔️||❓|
|Transparent integration with SSH||✔️||✔️||❓||✔️|
|Transparent integration with database clients||❓||✔️|
|Transparent integration with Kubernetes kubectl||❓||✔️|
|Transparent integration with RDP||❓||✔️|
|Complete audit logs of database/server activity||❓||✔️|
Vault is a complete secrets management product, allowing end users to interact with a secure vault (server) to store, retrieve, and generate credentials for a wide variety of systems, including databases, various cloud providers, and SSH. It is built on a client-server model and is accessible via a command-line tool, a REST API, and a web interface. Its capability of creating and deleting ephemeral credentials allows users to build secure automation functionality with minimal risk of leaking credentials.
- Storing sensitive credentials that can be accessed manually, via a CLI, or an API
- Generating ephemeral credentials for one-time access to databases, cloud environments, and a variety of other secure environments
- Securing automated processes that require secrets to connect to secure environments
- Because it has a fully functional API, it is well suited for integrating with automated tools and processes
- Ephemeral credentials increase security by existing only long enough to be used then discarded
- Any form of data can be stored via the API, CLI, or web UI, making it a very flexible method of protecting a wide variety of secrets: credentials, API keys, tokens, and even binary data via Base64 encoding.
- API and command-line utility, not user-transparent
- Not suitable for end-user credential management
- Requires custom integration work to fit into existing workflows
The open-source version of HashiCorp Vault is the same as the enterprise version, though it is missing several enterprise features, including:
- MFA integration for client authentication
- Vault replication and disaster recovery workflows
- Namespaces for multi-tenancy
- Support for hardware security modules
Because this is a version of the enterprise Vault product, much the same use cases apply here. However, because it does not have numerous enterprise-level features, this product will require additional local modification to be suitable for enterprise deployment.
- It’s free!
- Community resources available for configuration and troubleshooting
- Lacks enterprise-friendly features such as replication and disaster recovery capability
- No formal support or SLA
If you lack the budget for a commercial product, or if your use case does not fit neatly within the feature sets offered by commercial products, you always have the option of building a homebrew solution using in-house resources. Typically this will involve a significant engineering effort, both to scope and build the solution and to maintain it going forward. Not only that, but auditors may look askance at your homebrew solution unless it has been tested and validated by an outside authority such as a penetration test or white-box code analysis. The benefit, of course, is that you will be able to produce a tool that matches your specific needs.
Because a homebrew secrets management system is entirely developed in-house, it can be designed and built to accommodate any specific required use cases for the organization. In order to build a functional and secure homebrew secrets management tool, you will need to have significant in-house security engineering expertise.
- It’s free (at least, in dollars)
- Fully customized to required use cases
- Extensive time investment for development and maintenance
- In-house security engineering expertise required
- No external support available
- Extensive testing, including external testing, will be needed to verify solution from an auditing perspective
strongDM is a control plane that makes it easier for organizations to secure access to databases, servers, and Kubernetes. Instead of distributing access across a combination of VPN, individual database credentials, & ssh keys, strongDM unifies management in your existing SSO and keeps credentials hidden. Neither credentials nor keys are accessible by end users. Because strongDM deconstructs every protocol, it also logs all database queries, complete SSH and RDP sessions, and kubectl activity.
- Faster onboarding- no need to provision database credentials, ssh keys, VPN passwords for each new hire.
- Secure offboarding- suspend SSO access once to revoke all database, server access
- Automatically adopt security best practices- least privilege, ephemeral permissions, audit trail
- Comprehensive logs- log every permission change, database query, ssh & kubectl command.
- Easy deployment - self healing mesh network of proxies that auto-discovers available database, servers & kube clusters.
- No change to workflow- use any SQL client, CLI, or desktop BI tool
- Standardize logs across any database type, Linux or Windows server
- Credentials must be entrusted to a third party for long-term storage
- Requires continual access to strongDM API for access to managed resources