Keeping Your Secrets a Secret with HashiCorp Vault
August 11, 2019
Keeping Your Secrets a Secret with HashiCorp Vault
Score 10 out of 10
Vetted Review
Verified User
Overall Satisfaction with HashiCorp Vault
HashiCorp Vault is our go-to for secrets management in our cloud implementation. Having used many other HashiCorp products, it was easy enough for us to translate that into the use of Vault. We also use it in a limited capacity with Chef, used in conjunction with encrypted data bags. HashiCorp Vault has allowed us to securely use secrets across applications without the need to expose those secrets. It has also made it easier to implement sane key rotation and achieve automation.
Pros
- HashiCorp Vault manages secrets extremely well.
- It works well as a cloud-agnostic or multi-cloud solution.
- HashiCorp Vault works extremely well with other HashiCorp products.
- Vault integrates with other systems very well because everything is API driven.
Cons
- It doesn't have an interface. This isn't entirely bad because of the purpose it serves, but it does make the barrier to entry a little difficult.
- Unlike many other HashiCorp products, the documentation feels like it leaves some steps out. Step by step documentation lowers the barriers to entry a little bit, and going through even the installation documentation and setup leaves a little bit of the caveats out.
- It needs a fair bit of supporting infrastructure. You cannot just have a Vault instance. Having a HashiCorp Vault instance means also having a consul cluster for the backend.
As mentioned before, HashiCorp Vault really is the best in its class. Having used other secrets management tools, HashiCorp has really made Vault the easiest to use in a cross-compatibility function, in a multi-cloud/hybrid environment, and in multiple fashions. Many other tools simply solve a single problem (like encrypted data bags within Chef) but do not help with cross-application compatibility. Using HashiCorp Vault, it's easy to integrate everything through it so you do not have any secrets being exposed. It also gives you a single standardized process so there isn't much guesswork. That alone can aid in making your environment more secure.
Using HashiCorp Vault
Users are all technical, spanning both development and operations teams. Because we're using HashiCorp Vault as a defacto standard for secrets management, it has been critical ensuring everyone that is in a technical role is up to speed on how to use this tool.
Each team that uses HashiCorp manages their own instance, with a centralized instance being supported as well for cross-team secrets. That requires all teams that are using secrets to have the knowledge and understand of how to administer the tool. As we ensure everything is automated, that has made maintenance of Vault instances much easier, but everyone still needs to know how to do it. In order to administer this tool, in particular, you have to understand how not only Vault works, but how Consul works as well because ultimately you will be maintaining a Consul cluster if you follow HashiCorp's supported set up and recommendations.
- Secrets Mangement
- Key Rotation
- Security
Comments
Please log in to join the conversation