One of a Kind
January 21, 2019
One of a Kind
Score 10 out of 10
Overall Satisfaction with HashiCorp Vault
We have looked into HashiCorp Vault as a solution to generate, store, and manage secrets in a container-oriented production platform. Currently, our systems rely on Vault to store TLS certificates and credentials to stateful services in our customer-facing applications. We are also using Vault to store application-level credentials for some of our products.
- Automated revocation of credentials via leases
- Provides many plugins for federated authorization through different platforms
- Dynamic credential generation
- Documentation for the API moves slower than changes in the API itself
- The database secret engine's API design isn't as elegant as it could be
- No support for revocation of all secrets under one path
- Helped us reach our security compliance goals.
- Helped us strengthen our security position in our infrastructure by improving on poor secret management practices.
I believe that HashiCorp Vault is a unique product for security engineers with a lot of features that can help automate the secret management tasks from end to end. For automation purposes, it does require a reasonable amount of backing infrastructure, so only consider that option if you can get a good ROI. Otherwise, it's a perfectly serviceable tool as a secret store, if you never need to stash credentials in plaintext somewhere, for example, if you're running an application that logs into another service on behalf of other clients and OAuth2 is not an option.