[TimTheTinker]

Great points and discussion, thanks.

One thing I still want to say — when I speak of secret servers that only use TLS, I was thinking primarily of products like Thycotic Secret Server, where deployment is left to on-prem IT staff, no E2EE exists at all, authorization uses code branching not security primitives, and where “vaults” are databases with DBMS-implemented encryption at rest. Security-wise, a hand rolled solution actually could be better if written by an experienced non-security engineer.

I’m not familiar with AWS secret server, but I assume it’s deployed such that it inherits a lot of guarantees by virtue of being part of the AWS ecosystem.