Behind the Vault: Secret Management Choices

25 September 2023 - by Jack

Protecting sensitive information has become a top priority in today’s digital landscape. Secret management software offers tools to help avoid plain text secrets and unencrypted storage of secrets. With the increased adoption of DevOps principles and CI/CD, it plays a vital role in safeguarding confidential data, such as passwords, API keys, tokens, and certificates during automation tasks.

What is a secret?

A piece of sensitive digital information that includes; passwords, API keys or any other credential that is used to access confidential data or systems.

Secret management software also provides a framework for handling Role Based Access Control (RBAC) of your secrets, making adopting security principles such as the Principle of Least Privilege (PoLP) more easily achievable.

Problems Secret Management Software Needs to Solve

Plain text secrets in code and scripts

Using plain text passwords in code and scripts is a fundamentally insecure practice with significant risks. First and foremost, it exposes sensitive authentication information, such as usernames and passwords, directly within the source code or scripts, making them easily accessible to anyone with access to the codebase. This lack of encryption or obfuscation means that even minor security breaches, like unauthorised access to the code repository, can lead to a full-scale data breach.

Securing Secret Storage

Storing all your secrets in one place can itself be a risk. However, encrypted secret storage helps avoid compromises to your secret database, resulting in your secrets being accessed. For example, if someone could get a copy of the database containing your secrets, so long as it is encrypted, it cannot be accessed without the correct encryption keys to unlock it.

Password Rotation

Keeping static passwords can increase the likelihood and impact of password compromises. As such, security policies regularly include a requirement to rotate passwords at set intervals. Rotating passwords makes it more difficult for attackers to gain prolonged access to systems, as even if one password is compromised, it becomes obsolete after a set period.

Role Based Access Control (RBAC)

Managing secrets by manually assigning them to users can quickly become unmanageable, so it is vital that tools be available to make this easier. RBAC is as simple as it sounds; it’s a methodology of assigning access based on the individual roles of people and groups within an organisation. This methodology is tied closely with the distribution of secrets as they aren’t to be shared with everybody by their very nature.

HashiCorp Vault, Azure Key Vault, AWS Secrets Manager, Google Cloud Secret Manager and other secret management platforms.

Secret Management Software Options

As we know it today, secret management software is a relatively new development in the grand scheme of things. It was not until the 2010s that we would see the current big hitters:

  • Azure Key Vault – Microsoft’s secret management offering. Deployed as a simple Azure service, Key Vault uses Microsoft Entra ID (formerly Azure AD) to manage access and permissions. Seamlessly integrates with Azure.
  • AWS Secrets Manager – Amazon’s entry is an AWS-managed service that uses AWS’s robust Identity and Access Management (IAM) policies for managing access and permissions. Seamlessly integrates with AWS.
  • Google Cloud Secret Manager – The latest release of our selected options, Google Cloud Secret Manager, is another managed service using the IAM policy system. Seamlessly integrates with (you guessed it!) Google Cloud
  • HashiCorp Vault – HashiCorp’s ‘Vault’ features directly integrate with other HashiCorp products and other critical requirements for running modern DevOps processes. A truly open-source version of Vault is no longer available, you need to check the license terms or read further below.
  • CyberArk Conjur – Conjure was the earliest of our listed options to be introduced, with plenty of modern integrations and an open-source version.
  • Infisical SecretOps – An open-source option with commercial additives available.

The demands of modern DevOps workflows necessitate more than just encrypting passwords; there are other vital considerations. This leads us nicely to why we chose HashiCorp Vault.

Keep updated with the latest from Pipe Ten by subscribing below.

Why we chose HashiCorp Vault

As a hosting provider, call us old-fashioned, but if given the option, we like to host things ourselves. This makes Vault a perfect candidate as it offers both hosted and self-hosting options with a simple and easy-to-maintain deployment.

In addition to this, Vault ticks all the critical boxes for our DevOps requirement while being independent of any Public Cloud provider. This avoids over-indexing into a single Cloud provider, something we avoid to keep our options open to support as many solutions as possible.

Finally, the main factor that led us to HashiCorp Vault was its direct integration with Terraform and Packer, both of which are HashiCorp tools that we use in our workflows. Using Vault, we hedge our bets on future compatibility with these IaC (Infrastructure as Code) tools.

Hashicorp Vault Licensing

In August 2023 (a year after we made our choice) Hashicorp changed it’s license from MPL license to BSL license,

The Licensor hereby grants you the right to copy, modify, create derivative works, redistribute, and make non-production use of the Licensed Work. The Licensor may make an Additional Use Grant, above, permitting limited production use.

You may make production use of the licensed work, provided such use does not include offering the licensed work to third parties on a hosted or embedded basis which is competitive with HashiCorp’s products.

Business Source License 1.1

These controversial changes which are well discussed in the news and community, might, depending on your intended use and feelings on true-OSS, lead to a different choice.

Conclusion

Picking the right software comes down to what is most essential for you. In many cases, companies that predominantly work with one Public Cloud Provider will be best served using their provider’s offering.

At Pipe Ten, we are platform agnostic and support many solutions inclusive Public Cloud, Private Cloud, Hybrid Cloud and On-Premise. Our choice of secret management doesn’t tie us to any particular platform, while still providing us with the DevOps tools and integrations we need.


JackAuthor: Jack Jones
Jack has been an integral part of Pipe Ten’s engineering team for over 5 years. With a long history of being immersed in Microsoft’s ecosystem, Jack embodies Pipe Ten’s provider agnostic approach and has lead the evolution of many customer solutions to integrate the benefits of public cloud, specialising in Azure and AWS. The wealth and sheer depth of Jack’s cutting edge technical knowledge and skillset has been crucial to the success and growth of many customers’ businesses.

Tags: , , ,