Overall Satisfaction with HashiCorp Vault
We are centralizing several config data of our application into a Vault cluster spread into different regions through AWS. It is a solution which was implemented by the DevOps team initially to support the DevOps environment, going later to all production environments. What we used to handle with config files before is maintained by HashiCorp Vault.
- A great repository for credentials and secrets.
- Good scalability with its own clustering solution and high availability.
- Easy to install like other Hashicorp products, it is based on just one executable.
- Documentation could be better.
- The multiple key unseal process can be a problem if the need arises.
- It would make more sense if HashiCorp Vault combined with HashiCorp Consul to create a unique product.
- Allowed better access control for credentials, passwords, and important keys.
- After we started using HashiCorp Vault, we were able to base our environment 100% as code.
- SSH access control that is possible using HashiCorp Vault adds an extra level of security in environments where external remote access is required.
We spent a little more time than we imagined to conceptually understand how HashiCorp Vault operates, as well as how it is configured. This is not trivial, and keep in mind that you will need to take some time to get a thorough understanding of the tool. The documentation could be more helpful in this regard.
As with all other products provided by HashiCorp, the effort and attention that the company has in creating a complete solution ecosystem for the DevOps universe are fully apparent. Several technical lectures about products on YouTube are presented by the company's CEO.
I already used Encrypted Hiera (which is basically YAML files encrypted with a private key scheme where this key is stored in plain text on the server, which is obviously not the best option). Another solution I also used for this purpose was AWS KMS, but with Vault I don't get stuck with a cloud provider.
Complex environments today are delivered in an automated manner, usually based on git repository code. From a security standpoint, credentials, passwords, and secret keys cannot be stored in these repositories. A safe and reliable environment for storing this type of data is therefore required. HashiCorp Vault has proven to be an excellent choice in the environments where I inserted it.