
Vault 1.3 - el_duderino
https://www.hashicorp.com/blog/vault-1-3/
======
LilBytes
For those that moved to or from Vault, care to share your experiences?

I'm using a fairly niche/small product to manage secrets at the moment but
we're hitting scaling and response time problems for a globally distributed
team.

We're already using AWS so we're tossing up using Secrets Manager instead and
changing our tooling accordingly, but after starting down the path of using
some of HashiCorps other products I'm wondering how Vault will go too.

~~~
mitchellh
I'll give my biased response, but I hope you can see I'm trying to be fair and
honest too. Note I'm one of the founders of HashiCorp and original creators of
Vault.

If your challenge is just storing static secrets (think key/value), Vault is
probably overkill for you today. Secrets Manager will work fine, or even a
smaller KMS-based solution or something. We're working on making Vault a LOT
easier to get started with so this probably won't be true for long, but its
probably true today. But it is important to understand the tradeoffs of making
these decisions.

The value of Vault is in the fact that it does so much more: dynamic secrets,
automatic rotation, certificate management, encryption-as-a-service, etc. And
that it integrates with so many systems: log in with AWS IAM, or K8S service
principles, or OIDC (Google, GitHub, etc.). And it has a single policy and
auditing system to back all this.

Usually Vault becomes VERY beneficial when you're juggling multiple "secret-
like" solutions: diff password solution from key management from PKI etc etc
OR you want to adopt more modern practices like dynamic credentials OR you
want a way to centrally govern secret-like things.

Vault literally scales from solving the needs of a small team (static KV) to
being used by some of the Fortune 10 to back their entire corporate secret,
PKI, encryption, signing requirements in a centralized way. I think that's
kind of neat.

~~~
weitzj
Vault is phenomenal. Do you know by chance whether Vault has a pkcs11 Plug-in?
So one can offload certain crypto operations into an HSM? (apart from the
masterkey)

i.e. I would like to use the PKI from vault but the key of the CA has to live
in an HSM.

~~~
Daegalus
We use Vault Enterprise at my company, and I do a lot of the
deployment/adminsitration of vault. The enterprise version supports PKCS11 and
external HSM:
[https://www.vaultproject.io/docs/configuration/seal/pkcs11.h...](https://www.vaultproject.io/docs/configuration/seal/pkcs11.html)
and [https://www.vaultproject.io/docs/configuration/entropy-
augme...](https://www.vaultproject.io/docs/configuration/entropy-
augmentation/index.html) for reference.

[https://learn.hashicorp.com/vault/operations/ops-seal-
wrap](https://learn.hashicorp.com/vault/operations/ops-seal-wrap) is a guide
linked at the bottom

~~~
weitzj
Thanks. So to fully understand this - if I use seal wrapping with an HSM all
secrets in Vault will be wrapped by the HSM and not only the
masterkey/autounseal?

And even though the rest is then in software (Vault) I still have the same
FIPS level as the HSM?

------
chucky_z
Yay! I really like Vault a lot after using it all over the place. It solves a
huge amount of problems in a really elegant way.

For anyone heavily using long-lived ACL tokens you will absolutely want to
upgrade; there's a really, really nasty bug that was fixed in this release.

------
Axsuul
Wish there was support for Docker Swarm!

~~~
moomin
After yesterday’s news, I think it’s probably time to accept swarm has no
future.

~~~
Axsuul
Why do you say that? :(

~~~
moomin
Well, who’s going to develop it? Most of the revenue from it now goes to
Mirantis, but until yesterday they were a Kubernetes-only shop.

No judgement on its technical merits, frankly I don’t know it that well, but
there doesn’t seem to be anyone incentivised to develop it any more.

(Here’s El Reg’s take:
[https://www.theregister.co.uk/2019/11/13/docker_enterprise_m...](https://www.theregister.co.uk/2019/11/13/docker_enterprise_miranits/))

