As soon as developers have access to the production credentials it's game over. Auditability is gone. Passwords end-up being stored in various password stores and plain files because it's convenient. Developers connect to the production system and start doing live changes.<p>Hashicorp Vault is more difficult to put in place but it does the right thing. With it's custom backend it can generate temporary tokens, for example to access the database. Those token are short-lived and part of the audit log.
Looks interesting. I'll definitely take a look at how this compares to Hashicorp Vault. Definitely getting closer and closer to the point where I can start to properly utilize a tool like this.<p>Reading the docs, though, it does seem like it's one legendary AWS outage away from being a huge problem:<p>>Torus’s infrastructure has been designed from the ground up for resilience without any single point of failure. All of our services are autoscaled and run in multiple availability zones in the us-east-1 region.
We've used Torus a fair bit in my team at work, however we're now using Docker's native secrets solution for our container runtimes as it avoids the knowledge and build-time overhead of an extra dependency.<p>I personally found the experience of using Torus to be great. Getting a quick working setup is easy and it doesn't take much effort to transition from there to locked down access control. Will likely continue using it outside of the Docker context.
I've been using Blackbox and it has been great. It encrypts files directly in your VCS. We've setup the deploy pipeline to decrypt secret config files and then deploy to servers.<p><a href="https://github.com/StackExchange/blackbox" rel="nofollow">https://github.com/StackExchange/blackbox</a>
Looks interesting. I probably need to get my hands dirty to understand how it's different from Hashicorp's Vault. A quick glance says it's a cloud-based solution with simpler UX. I see only client binaries and sign-up instructions. There are no server setup instructions.
Very strange navigation behaviour: enabled JS, and then clicking e.g. 'Docs' modifies the URL in address bar, but requires a manual refresh to actually load the docs page...