[ianl]

At Manifold(1), we built Torus from the ground-up to solve a consistent pain when building cloud apps: securely storing, sharing, and rotating secrets used to build, run, and deploy code. Our goal is to make it simple for anyone, not just the security savvy, to keep their secrets out of git and off disk.

To do this, we designed our security model (host and cryptography architecture) for hosting in the cloud to ensure we never have access to any of the keys used to encrypt or sign secrets — they’re derived from a user’s password and never forwarded along. We’ve posted more information in our documentation(2).

The server is currently closed source, with plans to open source it. The client (where all cryptographic operations happen) is open source.

1) https://www.manifold.co/ 2) https://www.torus.sh/docs/latest/internals/crypto

[tiziano88]

Could you highlight differences compared to Vault?

[ianl]

At it’s heart, Torus is public-key infrastructure, users/machines derive and encrypt asymmetric key pairs from their password. These key pairs are then uploaded and signed by the Torus server using a key endorsed by our root signing keys (always kept offline in a sealed and secured environment).

This enables Torus to establish a web of trust (much like gpg), allowing clients to retrieve and validate (by navigating down the web of trust) public signing and encryption keys for other users or machines. Using these validated keys, clients can encrypt secrets for each other without ever sending the secret (or any material used to encrypt it) to the server.

Vault, on the other hand, operates under a centralized encryption model with all secrets encrypted using keys encrypted by the root master key. For a vault cluster to boot up, the vault must be unsealed which complicates it’s high availability story — for a cluster to cold start it must have access to the master key.

The onus is on operators to properly store, transmit, and leverage the master key to unseal the vault which requires a certain level of sophistication to do properly. If the root key were to be lost or compromised, then all of the secrets would be as well.

Torus uses a decentralized model and builds on-top of the privilege of least privilege — users and machines only have access to the secrets they require. Making it far easier to operate as a cloud service (no cold start problem) and ensure that we never have access to your secrets.

We don’t see Torus as only a security tool, instead, we see it as a productivity tool by focusing on making it super easy to set, audit, and rotate secrets when a machine is compromised, developer leaves, or key is committed to git.

[wst_]

> For a vault cluster to boot up, the vault must be unsealed which complicates it’s high availability story

It doesn't complicate anything. It just makes it secure.

> If the root key were to be lost or compromised, then all of the secrets would be as well.

In Vault, you do not have just a root key. You have it divided, initially in 5 parts 3 of which are needed for unsealing. You can change the numbers. It is unlikely that all of them goes AWOL.

Plus, Vault is trivial to set up for a small team. Not a bigger effort is needed to set up a cluster.

I can understand that Torus is your tool of choice, but please do not spread FUD about Vault at the same time. I have no experience with Torus, yet, but Vault is a solid piece.