Secrets Management Conclusion

Third and final installment on secret management. In this article I give an overview of all the solutions I found that met my criteria.

Introduction

I figured I’d write another article Secrets management to wrap up my evaluation efforts in this space. As I mentioned in my first article on secrets management I set out on this journey looking a solution that offered easy to use generic secrets management. In that article I also define what secrets management is, what sort of secrets we are talking about and why it’s important to manage your secrets. If you haven’t read my previous articles in this series, I recommend you check all of them out.

Like I said was looking for easy to use generic solution, so anything that specialized in specific language, product or vendor was excluded. So anything that specialized in AWS Keys, Docker secrets or NodeJS secrets for example were excluded from my evaluation. After some initial web research I had the following solutions to evaluate:

In following sections I will summarize what I found.

Solutions

AKEYLESS Secrets Manager

I found this to be a powerful and easy to use solution that will likely fit well larger organizations looking for a complete secrets and key management solution. Smaller orgs or orgs with fewer requirements may find this to be an overkill or simply too expensive. For more details see my article on this solution at https://infosechelp.net/secrets-management-a-key-less-edition/

Vault Project by HashiCorp

HashiCorp is a big name in this space, so I was expecting big things from them, expectations which turned out to be unfounded. Vault is available both as an enterprise edition and open-source community edition. Pricing is a bit unclear to me as it is quoted as $/hr., and I don’t understand how that works. I tried this out and found it extremely complex and confusing. I spent a better part of a day working with this and was able to create few secrets in the web UI using the default root admin token. I did not figure out how to create new accounts, nor could I figure out how to use their CLI option, let alone their API. Like I said only spent a better part of day on this, reading the documentations and messing around with it. If I had spent more time on it, I probably would have figured it all out. After banging my head against the vault for several hours I lost interest in trying to figure it out as I saw no compelling reason anyone would want to deploy this thing. Based on what I saw AKEYLESS Secrets Manager was a far superior product for those looking for large scale fully featured system in this space.

Beyond Trust

Beyond Trust is another big name in this space and you can tell by their web site just how big they think they are. Beyond some fast talking sales slicks their web site had nothing to offer except a “register to learn more” forms all dressed up with generic highfalutin sales talk. There is no pricing information, or self-service demo option, just “give us your phone number so we can subject you to high pressure sales tactics” and I aint playing that game. So since I had no way to get anything useful about their product without subjecting myself to a sales talk, I eliminated them from the process.

Conjur by CyberArk

Here is another big player in this space. Their website had the following claim:

SECRETS MANAGEMENT MADE SIMPLE

A seamless open-source interface to securely authenticate, control and audit non-human access across tools, applications, containers, and cloud environments via robust secrets management.

https://www.conjur.org/

I was not able to validate this claim. In fact I found it to be anything but simple. Even after spending couple of hours on trying to get this to work, I had failed to even create a single secret in it, so I gave up. I was following a “getting started” guide which dutifully stepped me through how to get started and I still failed to store a single secret. Based on that experience I would call this solution convoluted and complex.

Delinea

Another offering that was disqualified because everything leads to a register for a sales call form and as I said before I aint playing that game. Their website claims, “Privileged access just got more accessible” and once more I see nothing to confirm that, hiding behind a sales call does not make things more accessible.

Doppler

This is the first solution I evaluated and the subject of my first blog in this series. This is a fabulous secrets manager for someone that is looking for a simple to use secrets manger. It does one thing, and it does it extremely well. Actually it does two things and does them very well. Doppler is both a secrets and configuration manager. You can store all your project configuration in Doppler, both sensitive and non-sensitive, and organize them into projects, environments, and configurations. Check out the Secrets Management Article for more details.

DotEnv

Turns out this solution focuses on NodeJS, despite their rather grandeur claims on their web site about supporting everything in the world. When I talked to their support folks about how use it for python, the answer was along the lines of “well we are really just focusing on NodeJS right now, we hope to support everything soon.” So therefor I did not evaluate this as it did not meet my initial requirements of being generic.

Conclusion

In conclusion I found only two solutions out there I could validate were easy to use and offered generic support. Those two being Doppler and AKEYLESS.

Published by Siggi Bjarnason