Why would someone use this over Vault or SOPS? Your (somewhat condescending) "stuck using FTP instead of Dropbox" is a very poor characterization. I think you've entered into a very busy space without bringing anything new to the table.
I can see why you might think that at first glance, but I'd encourage you to try out Doppler. No secrets manager offers the flexibility and incredible ease of use that we do. I'm not going to dive into a feature list, because a lot of that is table stakes, but what really sets us apart is our philosophy. We have the explicit goal of making our customers not only more secure but also more productive. Find me a Vault customer that would describe their install as helping them move faster!
I think I would focus a bit more on answering why this philosophy makes your product better than the proven secrets managers out there. I’m looking at products and comparing you against the established enterprise proven players. What really sets you apart from a product / use case standpoint.
Vault is definitely much more of a beast, but it also does a lot more, such as dynamic credentials. For just storing static secret/env vars this seems like a simpler solution.
Great point about dynamic secrets. This is an area we currently don't address, but it is definitely on our roadmap. There is a segment of the market for which dynamic secrets are an absolute requirement and we fully acknowledge that.
At our company, we use vault to generate and cycle short-lived database credentials and tls certs. Our RPC services use the certs to encrypt their traffic amongst each other, and also to enforce RBAC (since the certs are traceable, via vault, to a service or individual's identity).
"Dynamic" secrets imply that rotation is automated and frequent, and that there are no "blessed" certs, but rather that all certs/keys are generated in exchange for a successful identity assertion.
For example, if I can prove that I am LDAP user gen220, who belongs to group db-x-developer, I have earned the right to request a credential for connecting to db-x, which expires some arbitrary time before my identity-assertion expires.
A simple example that we use them for is for dynamic database credentials. So you no longer define a static username/password. You request the access/credentials from vault as you need them.
IIRC, Vault has plugins with GRANT access to your database, and rotates your passwords automatically. So it is able to create new users when access is requested, and to rotate passwords if needed.
with this setup, Vault will create a new database user based on the configuration you set (read-only for some services, for example), and will attach a time-to-live to those credentials; as long as the application is using them, it will renew the TTL. When an application is killed, or scaling happens, etc, and the application instance isn't using those specific credentials, Vault will clean up and remove the unused account cleanly
Can do all sorts of great things with this; for example TLS (ssl) certificate renewals, etc, as the certificate expiry IS the TTL; when a certificate needs to be renewed it can happen automatically and your application can receive any signal you choose (SIGHUP, for example)
I guess dynamic secrets are too "ftp" for Doppler, eh?
You lost the entire audience who have actually used Vault before when you claimed it was too complex for your team to understand.. Why would I trust a company staffed with a crew that can't even understand the tools they are trying to compete with
