secrets management system

Current Setup: Credstash

- Uses AWS
- Supports versioning
- Integrates tools like ansible
- Dependent on IAM policies on AWS
Things needed from management perspective
● Audit
● Leasing and renewal
● Developer friendly
● Devops friendly
● Role based
● External Connectivity - Authentication
● On-Prem
● Support
● Policies
● Dynamic Secrets
● Scalable and High availability
Vault (Hashicorp)
- Secure K/V Store
- Cubbyholes where only the token bearer can access the data. Not even
system/Vault administrators can access them.
- Dynamic secrets. Vault will create accounts and credentials for you in
databases and cloud IAMs. You can also tie these to highly configurable
leases and access policies. (Eg. Want to grant someone read-only access to
your Cloudwatch for 10 minutes and have those keys automatically removed
from the system)
PKI engine to do one click/API call certificate generation. Also with highly
configurable TTLs

SSH CA authority. Similar to PKI but for signing SSH certs. Of course, with highly
configurable TTLs. Want to let someone logon to a set of servers for 5 minutes
without managing their keys on the servers?

Encryption as a Service/Transit. Encrypt all payloads for your applications via

simple API calls. Includes versioning and encryption rollover methods. Great for
encrypting at-rest data in any storage backend (database, block store, disk, etc).

Cross region/Cross Cloud/Cross Datacenter replication.

Mount Filters to restrict data that should not be transferred across clusters. Great
for GDPR use cases.

Control Groups to only allow access to secrets after N approvals have been met.

Sentinel Policy as Code for highly configurable access rules based on metadata
(e.g. only allow access to a set of secrets from 10AM-6PM if requests come from
192.168.42.0/24)

All major authentication methods and optional MFA.

Pluggable architecture.

Instant synergies with Terraform, Nomad and Consul

Cloud agnostic. You can run it anywhere, laptop, on-prem datacenter, AWS,
Azure, GCP, Alibaba...etc.
High Level Spec Hashicorp Vault Credstash Cyberark Conjur

Auditable Y Y

Leasing and renewal Y

Developer friendly (to be able to use

web/mobile application that requires secrets) Y Y

DevOps friendly (to be able integrate in CI/CD

pipleines) Y Y

RBAC based access control Y Y

External Connectivity - Authentication Y (LDAP)

Be able to run On-Prem Y Y Y

Enterprise Support (inc. technical support) Y

Policies Y Y

Dynamic Secrets Y Y

Scalable and High availability Depends on the dployment Y

Secrets Verisoning support Y Y

AWS integration Y Y

GCP integration Y Y

Azure integration Y Y
Other
Cyberark - conjur

https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd