[ispivey]

I'd love to hear from some of the team who built this about differences between Keywhiz and Keyczar, which to my mind was the best-practice open-source cross-platform solution to date (i.e. if you're not relying on things like AWS Cloudformation config or Heroku config vars to "manage" secrets).

Obvious pieces to me appear to be (1) roles and auditability (2) end-user front-end (3) filesystem interface & associated ease of access for various services. But I'm not an expert!

[sul3n3t]

Keyczar is meant to solve a different problem. It’s meant to be a simple programmatic API for crypto operations, while being high-level and excluding unsafe options. NaCl (http://nacl.cr.yp.to/) has similar goals to Keyczar.

Keywhiz isn’t an interface for software to do crypto. Rather, it’s a system to manage the secrets/keys used for crypto and making them available to the services that need them. It doesn’t explicitly look at the content of secrets, unless a plugin is used.

[ispivey]

Understood! I'd looked at Keyczar in the past as a component of a system to manage secrets/keys, but I see it's actually providing about 0% of what Keywhiz does.

[amenghra]

Filesystem interface just by itself is a big difference.

Keywhiz lets you manage things like mysql or other configs which might contain things like username/passwords, passwords to unlock certificates, API keys, etc. If you don't have the resources/option to modify applications to use a specific API, the filesystem might be your only viable solution.