
Secrets and LIE-Abilities: The State of Modern Secret Management (2017) - zerotolerance
https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d
======
tonyhb
tl;dr: author looks at secret management services and reviews them

KeyWhiz: Provides everything you need but with complex PKI management, meaning
setup and maintenance is a pain. Secure.

Vault: A+ would test again. Awesome rotation policies, on-demand secret
generation via backends, master key sharing. Legit and secure, everything you
need but has to be configured on top of your cluster.

Docker: Super easy to use, and it's built in. 10/10 would use again. Keys
encrypted at rest, keys encrypted over the wire, and shared with only nodes
who need them. Secure all round

Kube: Totally insecure. Plaintext at rest, plaintext over the network, shared
everywhere. Basically a plaintext POC

------
raesene9
Really interesting article, secrets management is one of those areas that's
still developing in the container orchestration space, so good to see some
comparison of the options.

Key one to watch for is down the end though, be careful with what Kubernetes
calls "secrets"!

------
nitrogen
For readers looking to comments to decide whether to click through, this is
about secret management (passwords, private keys, API tokens) in web/app
development, as opposed to other types of secrets.

