HashiCorp switched Vault from MPL to BSL license yesterday. The terms of how they define "competitive" products are pretty vague, which means that any commercial product that uses Vault under the hood is at risk of violating the terms of the new license. Moreover, even if it's not violating the terms of license now, it doesn't mean that HashiCorp will not change its mind in future.<p>Ultimately, it just means that HashiCorp is not an open source company anymore. One of the biggest benefits of open source is building on top of open source software to create even better software. HashiCorp's move makes it impossible and simply slows down innovation. In fact, in their blog post, they say that they will start referring to their previously-open-source product as "community".<p>Infisical is an open source alternative to HashiCorp Vault. The main difference is that it provides more tools in one platform. Some examples of these are automatic secret scanning and leak prevention, CLI for local development, integrations with services like GitHub Actions, Circle CI, etc.<p>The core of Infisical is available under the MIT license with only very few features being enterprise-licensed – some will say it's not ideal but at least this type of license does not impose legal risks on our users while gives us the ability to monetize the product efficiently and support the open source (MIT-based) part of the product.<p>Over the last year, lots of developers and companies of all sizes (from tiny startups to Fortune 10 companies) have partially or fully switched to Infisical. For them, we now process over 300 million secrets per month.<p>Check out our git repo here: <a href="https://github.com/Infisical/infisical">https://github.com/Infisical/infisical</a>
Backed by another corporation trying to monetize it. This will go well.<p><pre><code> This repo available under the MIT expat license, with the exception of the ee directory which will contain premium enterprise features requiring a Infisical license.
</code></pre>
I just sprained my eye sockets from rolling my eyes too hard.
And still world-class testing: <a href="https://github.com/Infisical/infisical/blob/main/backend/tests/integration-tests/routes/v2/secrets.test.ts">https://github.com/Infisical/infisical/blob/main/backend/tes...</a><p>Don't use this untested mess to store your secrets.
EnvKey (<a href="https://www.envkey.com/">https://www.envkey.com/</a>) is another OSS alternative to Vault with a bit more focus on security (disclaimer: I'm the founder).<p>We have a comparison with Vault here: <a href="https://www.envkey.com/compare/hashicorp-vault/">https://www.envkey.com/compare/hashicorp-vault/</a><p>We'll probably write up a comparison with Infisical soon as well but I'd say the main thing is that our end-to-end encryption has no opt-outs (as Infisical does for many of its integrations), and we use native apps and a CLI rather than offering a web UI. End-to-end encryption in a web browser offers minimal security benefit for reasons discussed in this thread: <a href="https://news.ycombinator.com/item?id=21838795">https://news.ycombinator.com/item?id=21838795</a> (the discussion is from 2019 and the original NCCGroup link from 2011 is now dead, but all the same issues still apply).<p>Also, I'm not sure if this has been addressed yet, but it has previously been noted that Infisical was completely lacking in automated tests. EnvKey has an extensive test suite ( core tests here: <a href="https://github.com/envkey/envkey/tree/main/public/app/tests">https://github.com/envkey/envkey/tree/main/public/app/tests</a> and tests for all our sdks are included in each: <a href="https://github.com/envkey/envkey/tree/main/public/sdks">https://github.com/envkey/envkey/tree/main/public/sdks</a>).
I remember trying Infiscal, and I was excited to see how good it is, the feature list in the OSS version, and its ease of use... What cooled me off is this limitation in OSS: "3 Infisical Projects, 3 Environments & 5 Team Members."<p>That's not nice. It's OK to limit SSO access to OSS and stuff like that. But limiting essential features - team members is a no-go.
MIT now, but in a few years when the inevitable need to make profit number bigger crops up they'll be doing the same thing.<p>And there will the same backlash by people pretending that the change is some sort of grave slight and make bold claims about how they're switching away because they actually have to pay for stuff now.<p>And the cycle will repeat ad nauseam.
So the introduction says it’s “end-to-end encrypted” but all it does is a link to Wikipedia (which is useless). Is there any documentation on the security model?<p>Vault has some at-rest encryption but IIRC explicitly says then don’t have any mitigations against a compromised unsealed node. My understanding is that if someone ever gets a root access to a machine running Vault, the game is over. Which makes me wonder ifI can deploy Infiscial to some completely untrusted machine (without any orchestration or networking concerns) and still have some guarantees that all my secrets are safe in some way (cannot be decrypted, cannot be replaced, maybe even cannot be rolled back, etc)?
There has to be a middle ground where yes you can use this to your hearts content for free, but don't package and sell this to undercut our own hosted offering.<p>It's pretty shitty what happened with mongodb and aws. Morally it always felt wrong.
Congrats to the Infisical team, it's been cool getting to watch them grow from the start.<p>What are some of the biggest challenges you've run into so far?
I wish secret manager services were obsoleted by OIDC and HSMs. If everything negotiated via keypass & beyondprod style workload identification and... we never save passwords for DBs or web hooks ever again.<p>...it's annoying that a kubernetes-like complex system exists and it doesn't have to. And now they have a SaaS version for small numbers of secrets....
Infisical 3rd party integrations are one of the best things about it. They just work without having to deal with plugins or crazy configurations. Kudos to the team.
Another option, for companies that want to go full security over automations and kubernetes, is CyberArk Conjur.
Its OpenSource is quite limited in features, but the Enterprise version is very complete.