[lmickh]

Can't recommend Vault enough. By far the easiest and most capable solution to work with. The only downside I can point out is that the multi-cluster/region HA requires expensive enterprise licensing, but that is something most user cases don't require.

[peterwwillis]

> By far the easiest

Secret management is as complex as the system which relies upon it. Vault is not as easy as many other tools designed for simple systems. GPG by itself is often enough to manage secrets.

There are probably 40 or more secret management solutions out there, many tailored for specific uses. Most CMS's have their own secret management baked in. Most orchestration and infrastructure tools do too. Four different solutions are called 'Vault'. There are at least 5 solutions just for Amazon. Depending on your platform, something other than HashiVault may be easier to adopt.

Here's some reviews of a dozen different solutions: https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3... https://medium.com/on-docker/secrets-and-lie-abilities-the-s... https://www.threatstack.com/blog/cloud-security-best-practic... https://www.youtube.com/watch?v=OUSvv2maMYI&feature=youtu.be

[lmickh]

Maybe that was poor wording on my part, but ease of use in combination with the features are important.

Take the database secret backend for example. Getting that same feature out of other simple systems, would be a lot of work. Audit trails are another low effort high reward feature. When you start to get into combining those features, it is an even greater pay off. When you start to take into consideration HA clusters...well if you want to put that together on your own have at it.

Much of "easiest" has to do with familiarity as well. I've seen new users get Vault up in minutes that still don't have GPG setup "cause it is hard". If you are already working with DynamoDB or Consul, you already know how to setup the storage. Those are common skills. I'm sure there are folks that fall on the other side of that use GPG often, but it doesn't make either side more objectively easy.

If you only have the need for a simple system, then Vault may be overkill. I would say Vault is comparable to Kubernetes. Does everyone need it: No. Simpler stuff can be done with config management or tools like Nomad. Does it have features that most people will eventually want to use: Absolutely.

Secret management is one of those things were simple solutions end up easily becoming more and more involved just like container orchestration. Especially when you get into chicken/egg scenarios regarding stuff like some of the tools you mentioned.

Side note: I've tried at least 12 other tools for this purpose , and I would recommend Vault over all of them for most every scenario that is more involved then "Use 1Password".

[odiroot]

Did you use it with Kubernetes by any chance?

[lmickh]

Yes. I use Terraform to pull secrets from Vault and insert them into Kubernetes secrets so that there is a single source of truth.

[puzzle]

What's the Enterprise pricing?

[lmickh]

IIRC, it was on the order of $100k+ per cluster for the Premium offering. Has been several months so I would suggest contacting them to see what it currently is.

For some projects I've been on, that wouldn't be a big deal. For smaller projects it can easily be several times your opex though.

You can run an open source cluster in HA without it though. The big draw for Enterprise is the multi-cluster and HSM support. Anything HSM is typically quite expensive so their pricing really isn't out of line.