I just replaced a clunky secrets manager with Mozilla SOPS and secrets-in-code that we keep in git encrypted and can version like any other file. I like this approach better than any alternative I've used so far.
SOPS is only an alternative for vault KV Store. Even then, it requires a lot of manual plumbing when you have operators and Terraform pushing secrets or keys into Vault KV.
To replace SSH Sign and Cert Authority or databases engines, both generating short-lived credentials on-demand, SOPS will not easily solve the issue.
If you only need KV Store, SOPS experience is way better than Vault and maintenance cost is low.
I readily admit it's not the same amount of :fu: as BuSL or whatever the fuck is going on over at Sentry but still :-( as compared to their much friendlier Apache 2
Well, that actually may be a good hint for me for a project I'm working on right now. I just fell of the chair when I realized how Vault charges for Enterprise "clients" (identities). This could be some fresh air.
Their pricing was laughable when we investigated it a couple of years back; I imagine it's only gotten worse since.
When I told them how ridiculously expensive it was for our use-case they suddenly managed to find a ~50% discount for us. That brought it down to just laughably expensive. Needless to say, we stuck with DIY.
It’s simple, has real client-side end-to-end encryption with no backdoors or compromises, is open source, and gives you a bunch of ways to manage and de-duplicate config.
Does envkey have a concept like Vaults secret engines? E.g Vault can automatically create temporary service accounts in AWS and GCP on demand. It can also create credentials in dbs like postgres on demand and rotate them. Also, can it be set up as a private CA and sign certs on demand?
It has a CLI that can be used for this purpose, but you would have to script it.
It also doesn’t have private CA or cert generation features, so if you need that then perhaps Vault or OpenBao would be a better fit. Though if you wanted to use EnvKey for simplicity and security reasons, you could potentially do your cert generation with openssl or another tool and then store the certs in EnvKey.
The featureset isn’t 1-to-1. EnvKey is more focused on config management and ease-of-use and not so much on slotting into more complex custom infra that needs eg a private CA. Though like I said it is quite flexible so you could make it fit into just about any system if you’re willing to do a bit of scripting.
Can you be more specific? It clearly mentions encryption-as-a-service and secrets generation as advantages of Vault, among others.
The point of the comparison is not to have an itemized list of every feature, but to compare the most important features and tradeoffs at a high level. It includes the disclaimer that Vault could be better for some more complex use cases (as I have also done here in my reply to you).
Your "Quick Compare" table has EnvKey winning on everything and doesn't mention anything about the fact it only does about 10% of what Vault does. The 90% of stuff that Vault does that EnvKey doesn't, gets one sentence in the advantages list and is downplayed in the conclusion.
A fair comparison would point out that EnvKey only does a small but important part of what Vault does, and explain why it does it well. Somebody who didn't know either piece of software, might read your comparison and get the false impression that they had equivalent functionality.
I don't expect you to agree, because that would mean you had to change the page to one which maybe doesn't convert so well.
I think your “90%” is quite unfair as EnvKey also has a lot of features that Vault doesn’t have, and the comparison is focused specifically on secrets management.
Vault has some long tail infra/enterprise features that EnvKey lacks and perhaps those are relevant to you, but a lot of them aren’t really secrets management per se, and for the core objective of managing secrets and config, EnvKey has a lot in terms of de-duplication, automation, and UI/UX/DX that Vault lacks. But for sure it depends on your use case.
Of course we are going to be somewhat biased, but everything in the quick compare section is backed up below. On security, EnvKey has end-to-end encryption; Vault doesn’t and requires trusting the host server. EnvKey is clearly easier to set up and use. EnvKey has an MIT license. EnvKey fits into a local development workflow and keeps config in sync much more effectively.
For sure you could write something that gives more attention to Vault’s specific strengths, but I stand by the comparison as broadly accurate.
Thanks, looks quite cool and a bit more in line with my Kubernetes setup than KeyEnv mentioned above. I'll give it a try, especially if I can start with self hosted opensource version when the team is still tiny.
