Hacker News new | past | comments | ask | show | jobs | submit login
Vault 1.3 (hashicorp.com)
69 points by el_duderino 21 days ago | hide | past | web | favorite | 18 comments

For those that moved to or from Vault, care to share your experiences?

I'm using a fairly niche/small product to manage secrets at the moment but we're hitting scaling and response time problems for a globally distributed team.

We're already using AWS so we're tossing up using Secrets Manager instead and changing our tooling accordingly, but after starting down the path of using some of HashiCorps other products I'm wondering how Vault will go too.

I'll give my biased response, but I hope you can see I'm trying to be fair and honest too. Note I'm one of the founders of HashiCorp and original creators of Vault.

If your challenge is just storing static secrets (think key/value), Vault is probably overkill for you today. Secrets Manager will work fine, or even a smaller KMS-based solution or something. We're working on making Vault a LOT easier to get started with so this probably won't be true for long, but its probably true today. But it is important to understand the tradeoffs of making these decisions.

The value of Vault is in the fact that it does so much more: dynamic secrets, automatic rotation, certificate management, encryption-as-a-service, etc. And that it integrates with so many systems: log in with AWS IAM, or K8S service principles, or OIDC (Google, GitHub, etc.). And it has a single policy and auditing system to back all this.

Usually Vault becomes VERY beneficial when you're juggling multiple "secret-like" solutions: diff password solution from key management from PKI etc etc OR you want to adopt more modern practices like dynamic credentials OR you want a way to centrally govern secret-like things.

Vault literally scales from solving the needs of a small team (static KV) to being used by some of the Fortune 10 to back their entire corporate secret, PKI, encryption, signing requirements in a centralized way. I think that's kind of neat.

Great description, thank you. My main question is: I use https://github.com/shyiko/kubesec (a fancy sops) for k8s and store my database password, stripe credentials, etc in there.

Other than that, I have my GCP account credentials (in 1Password) and my terraform state in... terraform.

Is this a use case for Vault to consolidate? I guess I can't see how I would "outgrow" the above setup.

Thanks for all the great Hashicorp products! Terraform is incredible.

This may be interesting for you - a vault terraform provider using envelope encryption To get secrets from terraform into vault


Vault is phenomenal. Do you know by chance whether Vault has a pkcs11 Plug-in? So one can offload certain crypto operations into an HSM? (apart from the masterkey)

i.e. I would like to use the PKI from vault but the key of the CA has to live in an HSM.

We use Vault Enterprise at my company, and I do a lot of the deployment/adminsitration of vault. The enterprise version supports PKCS11 and external HSM: https://www.vaultproject.io/docs/configuration/seal/pkcs11.h... and https://www.vaultproject.io/docs/configuration/entropy-augme... for reference.

https://learn.hashicorp.com/vault/operations/ops-seal-wrap is a guide linked at the bottom

Thanks. So to fully understand this - if I use seal wrapping with an HSM all secrets in Vault will be wrapped by the HSM and not only the masterkey/autounseal?

And even though the rest is then in software (Vault) I still have the same FIPS level as the HSM?

Would a trade off be having an intermediary for your CA that vault controls the key for? That seems to be the common configuration I’ve seen at least.

This is the configuration I would prefer as well. But for my question I already had an intermediate CA in mind and where to store its key. The rootca is offline

I'm starting using it as an encryption-as-a-service. Nice and good to add layers of complexity and have to avoid stuff that generally people ignore (algorithms, rotation, master keys etc), documentation is scattered around and not always to the point, but with a bit of time you get what is needed. Still fighting with setting up with wrap/unwrapping roles and tokens. In the end it's a tool and you have to build stuff around it. Anyway, so far so good. If you have to encrypt/decrypt things I would suggest you to give it a try.

Secrets manager is fine if you just have plain text secrets that you are happy to rotate yourself.

Vault shines when you want more dynamic secrets - issuing IAM creds from other forms of auth, issuing dynamic SQL db users, even issuing tls certificates.

Edit: damn, ninja'd

If you’re using Nomad then the integration towards Vault is quite good.

Even if you don’t require any of the more complex features (auto-rotation, transit encryption/signing etc) it gives you the option to build a roadmap towards getting there.

Vault is a phenomenal tool, full stop.

Yay! I really like Vault a lot after using it all over the place. It solves a huge amount of problems in a really elegant way.

For anyone heavily using long-lived ACL tokens you will absolutely want to upgrade; there's a really, really nasty bug that was fixed in this release.

Wish there was support for Docker Swarm!

After yesterday’s news, I think it’s probably time to accept swarm has no future.

Why do you say that? :(

Well, who’s going to develop it? Most of the revenue from it now goes to Mirantis, but until yesterday they were a Kubernetes-only shop.

No judgement on its technical merits, frankly I don’t know it that well, but there doesn’t seem to be anyone incentivised to develop it any more.

(Here’s El Reg’s take: https://www.theregister.co.uk/2019/11/13/docker_enterprise_m...)

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact