why not just use parameter store? <a href="https://aws.amazon.com/ec2/systems-manager/parameter-store/" rel="nofollow">https://aws.amazon.com/ec2/systems-manager/parameter-store/</a>. Plus: don't use credentials directly, use the assume role feature.
The comparison with Vault is somewhat misleading.<p>- There are several free UIs available for Vault like <a href="https://github.com/djenriquez/vault-ui" rel="nofollow">https://github.com/djenriquez/vault-ui</a>, they just aren't provided by Hashicorp<p>- I'm not sure what "file secrets" might refer to other than storing the contents of a file, for which Vault's CLI provides shortcuts.<p>- While Vault's generic k/v backend doesn't support purging expired values in order to avoid accidental data loss, there are plenty of other backends that integrate with AWS STS, Postgres, etc. to provide dynamic, short-lived credentials.<p>- I'm not sure how Vault doesn't support encrypted backups seeing as the data is already encrypted on disk. Take EBS snapshots or something.<p>- Versioning of secrets is a popular request and Hashicorp has some "vague plans" which is an improvement from "no plans." <a href="https://github.com/hashicorp/vault/issues/1364#issuecomment-328251464" rel="nofollow">https://github.com/hashicorp/vault/issues/1364#issuecomment-...</a><p>Plus you get a full REST API, a ton of auth methods, granular access policies, etc.
Hi, this really needs a REST API.<p>Most secrets are injected in real time at the startup of of a container. For tools like this or plugins in k8 / docker to access your store you should support this. It's really bad practice to create a hard dependency on your secrets store by using the Java sdk directly in your application. If that's not the intent definitely provide a Golang sdk for proper plugin integration.<p>Can you explain how secrets are injected now?
Charging $1 per secret is interesting. I wonder if that will affect how people design their application.<p>We've had a pretty splendid experience with Vault so far, so I'm not exactly in the market for another solution, but this looks interesting.<p>I assume you started development on this because Vault et al didn't exist yet at the time? Or was there another driver?
If you're comfortable with using KMS already, I recommend checking out SOPS: <a href="https://github.com/mozilla/sops" rel="nofollow">https://github.com/mozilla/sops</a><p>It can be versioned if you use git, access controlled via the KMS access privileges, and easily plugs into other tools because it uses YAML. Simplicity is the killer feature.
How does SecretBox compare with Vault [0] or BlackBox [1]?<p>[0] <a href="https://github.com/hashicorp/vault" rel="nofollow">https://github.com/hashicorp/vault</a><p>[1] <a href="https://github.com/stackexchange/blackbox" rel="nofollow">https://github.com/stackexchange/blackbox</a>
Current parameter store user - one feature not mentioned in the comparison is the fact that accessing / updating a secret in parameter store will show up in Cloudtrail. Is there a similar audit trail in strongbox?
I prefer the RBAC and YAML policies Conjur provides... <a href="https://github.com/cyberark/conjur" rel="nofollow">https://github.com/cyberark/conjur</a>