Secret Management 🔑
Comparison
| Feature | SOPS | HashiCorp Vault |
|---|---|---|
| Open Source | Yes | Core features BSL, some advanced features enterprise |
| Distributed | N/A | Yes, highly distributed and replicated |
| End-user Learning Curve | Medium | Low |
| Deployment Complexity | Low | High |
| Encryption Method | AES256 | AES256 |
| Secret Rotation | Manual edit required | Automated rotation policies |
| BCDR Support | Depends on key storage | Multiple DR, backup options |
| Authentication Methods | GCP/AWS KMS (+IAM role), Azure Key Vault | Tokens, Kubernetes auth, usernames/passwords, more |
| RBAC | Per-file coarse grained access controls | Robust policy engine for fine-grained control |
| UX | Basic CLI | Rich UI, CLI, APIs |
| Integrations | Some CLI tools, editor/IDE plugins, GitOps products | Hundreds of integrations |
| Kubernetes Integration | CRD controller mirroring file to k8s secret then mounted as volume by the app | Mutating webhook and CSI Driver+Provider doing on-the-fly injection directly to a volume mounted by the app |
| Secret Storage | Encrypted files checked into Git/source control | Stored encrypted in Vault integrated storage |
| Thread Model | Here | Here |
For more secret management options or specifics on integrating with Kubernetes, refer to the additional resources listed at the end of the page.
Personal Requirements
- Agnostic to hosting environment - Ideally don’t lock yourself into a built-in solution to be able to support on-prem, any cloud provider, Kubernetes, etc…
- Low end-user complexity - Keep it simple and minimize end-user burden.
- Tie into company auth - Integrate with your existing identity provider.
- Easy on-boarding - Platform teams can provision credentials to projects via the secret management system.
- Isolate infrastructure secrets - Infrastructure secrets can often be injected through CI/CD a transparent and secured way for end-users - its automation requires standardized pipelines and app/team identifiers.
- Automated rotation - Rotate secrets programmatically.
- Policy consistency - Align user and password rules organization-wide.
- Versioning - Tied to Auditability but worth insisting on this point. In the past, some would suffix a date to secret keys, at least a way to review and track the change is recommended.
- Auditability - Monitor access and changes comprehensively.
Based on these requirements, I tend to prefer any secret management system tied, if I’m on Kubernetes, to a CRD to get the best of both worlds.
Making a choice
When choosing a secret management tool, match the solution to your current team size and near-term growth outlook. Start lean with a lightweight tool like sops to meet immediate needs without overhead. Only graduate to an enterprise platform like HashiCorp Vault once your team scales enough to justify the added complexity and costs. Reevaluate pragmatically as your needs evolve - don’t over-commit upfront. Right-size based on where you are now, with flexibility to scale up later.
Resources
Kubernetes-related
Platform-agnostic
- Infisical , open-source alternative to Vault