HashiCorp Vault Reviews

We are currently conducting a PoC with HashiCorp vault to see if it meets our requirements. I have ten different use cases for the evaluation.

We are integrating it into our Key Management Service. In my previous company, we were using it to store all of our keys and secret certificates.

In my previous organization, all of the requirements and use cases worked well.

The most valuable feature is the hub cluster in Consul.

This solution is easy to use and to integrate.

The documentation is very general; it should have more examples and more use cases. Basically, they just tell you the syntax without a better explanation of how to do things.

We learned all of the Vault Commands (CLI) and they work fine, except when we are running on an EKS cluster then the syntax changes. Most of the commands are not working.

I have been using HashiCorp Vault for less than a year.

Vault, so far, has been stable for me. I have had some trouble with Terraform, which I find is not very stable.

It is easy to scale this solution. I spin up a cluster and on top of that, I install Vault. On the backend, I use Consul for my wallet.

Because I am using the open-source version, I have not contacted technical support.

We did not use another solution before beginning our PoC.

The initial setup is easy and it is not complex or difficult to configure. You just have to understand the basic concepts of authentication.

Downloading vault and installing it, including Consul, will only take 15 or 20 minutes. The configuration depends on the use cases and depending on them, the length of time it takes will vary. It should take no longer than a day.

I am using the open-source version of Vault and I would have to buy a license if I want to get support.

This is the first solution that we are evaluating. If the PoC does not go well then we will be looking into other solutions. We did not consider other options because we felt that Vault would do what we wanted.

One of the questions that I have been trying to solve is whether it is possible to update the cloud AWS keys from the on-premises solution. I have been through the documentation and the blogs and still do not know whether it is possible. Definitely, they can be managed once they have been deployed into the cloud, but I want to know the other way around. Our intention is ultimately to deploy on-premises, which is why this is important.

My advice for anybody who is implementing this solution is to fully go through the documentation and understand all of the use cases before implementing it.

I would rate this solution a seven out of ten.

This is a Secrets Management framework to manage a keystore, certificates, and passwords dynamically in a Platform as a Service context, such as Vanilla Kubernetes Platforms, Rancher, Meso, Tectonic, and Origin/OpenShift Enterprise Platforms.

Whatever the platform, this product can help provide good security and be PCI Compliant.

It is an added value for our customers to have a Secrets Management workflow available that is PaaS/CaaS/KaaS Platform agnostic.

Furthermore, for Private and Hybrid Clouds such as AWS and Azure, it helps us to address multiple use cases that are not covered by AWS KMS, Azure Key Vault, or even with Hardware Security Modules that are limited by key type and size.

The dynamic secrets and key revocation feature help us to mitigate some risks easier for our customers, starting at the beginning of their development, without service downtime.

Starting integration of this product at the CI/CD software factory level helps make it easier to expand the environment when needed.

A Service Mesh workflow connected within Vault workflow would be difficult to integrate, depending on the SI complexity and security compliance.

A drawback for some clients who have to be PCI compliant is that they still need to use and subscribe to an HSM (Hardware Security Module) solution. 

Compliance: www.pcicomplianceguide.org

Consul, the backend of Vault, is a distributed and highly available system and suitable for intensive production workloads.

The community edition is a place to start, where the development framework is already in place. When moving to production it is easy to make the switch and there are no additional development costs.

Once used in the framework, developers gain time to address authentication and authorization issues, which are managed once at the vault level and no more.

For PKI management, TLS certificate renewal or revocation "cert-manager workflow" can be useful but, at times,  not as compliant as expected.

We use HashiCorp Vault for static and dynamic credentials. 

The tool's dynamic rotation of the password credentials is good. 

I would like to see better integration of HashiCorp Vault with SAP products. 

I have been using the product for two years. 

HashiCorp Vault is stable. 

The solution is scalable. 

HashiCorp Vault's support is great, and we get answers immediately. 

Positive

HashiCorp Vault's installation is easy. 

I rate the tool a ten out of ten.