Feature Matrix of Infrastructure Secret Management Software
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
This spreadsheet is a companion to the overview at https://gist.github.com/maxvt/bb49a6c7243163b8120625fc8ae3f3cd
License: This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
2
Remember: if a feature is not documented, it does not exist.
3
4
Flexible, Per Service access control
Editing Options
Supports multiple cloud providers
5
Secret Generators, Temporary Secrets
AuditHighly Available
6
Versioning (store multiple versions, rollback, rollover)
Presentation
7
Notify client on secret change
Bindings
8
9
10
Ansible Vault
Some (can use separate keys, cumbersome membership change)
No
Via source control
NoCLI onlyNoFileNone?Yes
Yes / no centralized component
Integrated into Ansible
11
BarbicanYes (WIP?)
CA API for creating certificates
NoNoAPIYes
ENV, FUSE, REST
Python - 1st party. Ruby - 2015 (dead?)
YesUnclear
Platform tax: OpenStack ecosystem
12
Chef Encrypted DatabagsNoNoNoNoCLI only
No (server could track bag access)
Files or ENV, when orchestrated by Chef
Ruby - 1st party
YesNo
13
Chef Encrypted Databags with Diverse Keys
Some (cumbersome membership change)
NoNoNoCLI only
No (server could track bag access)
Files or ENV, when orchestrated by Chef
Ruby - 1st party
YesNo
14
Chef VaultYesNoNoNoCLI only
No (server could track bag access)
Files or ENV, when orchestrated by Chef
Ruby - 1st party
YesNo
15
CitadelYesNo
Possible (via S3)
NoVia AWS?
Possible (via S3)
Files or ENV, when orchestrated by Chef
Ruby - 1st party
AWS onlyYes
16
ConfidantYesNoYes?UI, CLI???AWS Only?
17
ConjurYes"Rotators"YesNoUI, CLIYes
ENV with Summon
Ruby, Python, Node, Java, .NET
Yes
Manual failover?
18
Crypt
Some (cumbersome membership change)
NoNoNoCLI onlyNoFile or libraryGolangYes
Yes / no centralized component
19
EJSONYes, limitedNoVia GitNoCLI onlyNoFileNoneYes
Yes / no centralized component
20
Hashicorp VaultYes
Some backends; no extensibility
NoNoCLI onlyMaybe (syslog)
Env, files (additional 1st party tools)
Ruby and Go - 1st party; Python, Scala, Erlang - 3rd party
YesYes
Platform tax: multi-DC issues with Consul backend
21
KeywhizYesPlugins?YesMaybe inotify?UI, CLIYesFilesNone?YesNo
22
Knox
Yes, but multiple services on the same machine share all secrets
NoYes, best?Maybe inotify?CLI onlyYesFilesNone?YesYes
Platform tax: must be a Go developer :)
23
Red OctoberYesNoNoNoUI, CLINoAPI onlyNone?YesNo
Does not actually store secrets
24
TrousseauNoNoNoNoCLI onlyNoFileNone?Yes
Yes / no centralized component
25
26
27
28
29
30
ZookeeperYesNoYesYes?NoAPI onlyJava?YesYes
31
etcdIn developmentNoYesYes?NoYesYes
32
ConsulYesNoNoNoUI, CLINo
Yes (DC centric)
Yes
33
34
CredstashAWS Only
35
SneakerAWS Only
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...