[gobengo]

Hesitant why? It's pretty darned good. Kubernetes also has a Secret abstraction, but you probably don't want to start setting up Kubernetes just for secret storage. Vault is good at that.

[jaxxstorm]

kubernetes "secrets" are base64 encoded only, anyone with access to the resource can view the original secret.

[jesseendahl]

The lack of encryption at rest for Kubernetes secrets was one of the (many) factors in why we originally chose Vault.

That said, there's been a lot progress recently in this area recently. Starting in Kubernetes 1.7, you can optionally encrypt etcd at rest: https://kubernetes.io/docs/tasks/administer-cluster/encrypt-...

You also have a few good choices for the crypto. Two of the choices are Secret Box (XSalsa20 + Poly1305) and AES-GCM with random nonce.

Full list of providers, including info on strength + other considerations:

https://kubernetes.io/docs/tasks/administer-cluster/encrypt-...