As Microservices is now becoming the most preferred method for creating cloud native distributed applications, it poses many security challenges. Secrets Management is a critical component of container based application security.
Most common entities that need to be secured in microservices based applications are –
- Database credentials
- Cross service credentials / tokens
- API keys and Access Tokens
- SSL/TLS certificates
In Monolithic model, secrets are usually stored in code, config files or data tables etc. This causes huge security risk as secrets can easily get compromised. Moreover there is no centralization of secrets which makes secrets rotation very complex and time taking.
With Microservices, there is a need for centralized secrets management solution which can handle the security challenges with minimum intervention.
Requirements not limited to –
- Secure storage of different secret types like tokens, creds, certificates etc.
- Key Rotation
- Data Encryption
- Full Audit logging
- REST APIs (for easy integration and automation)
- Fine grained Access Control
There are multiple Vault solutions from different cloud provides like (Azure Key Vault, AWS KMS, GCP KMS etc) and open source products like Hashicorp Vault which offer rich features for secrets management.
Lets do a comparison for some of the most widely used Vault solutions – Azure Key Vault, Hashicorp Vault and Kubernetes Secrets.
This is effectively a Hashicorp Vault vs Azure Key Vault comparison but we have also included Kubernetes Secrets as it comes inbuilt with Kubernetes cluster and can be considered for some use cases.
Comparison of Vault Solutions from Operations Point of View-
||Hashicorp Vault||Azure Key Vault||Kubernetes Secrets|
|Documentation Link||Link to Documentation||Link to Documentation||Link to Documentation|
|Operation and setup||Open source so needs operation effort to setup and manage stack and availability||Paas solution so needs no/minimum operations effort to manage.||Built into Kubernetes so no separate management required.|
|Pricing||Open source so only infra cost. For enterprise setups where DR and backups are required, enterprise license needs to be purchased.||https://azure.microsoft.com/en-us/pricing/details/key-vault/||Built into Kubernetes so no extra cost|
|Replication and DR||Replication and DR supported only in enterprise versions. Vault Enterprise||The contents of key vault are replicated within the region and to a secondary region at least 150 miles away but within the same geography. This maintains high durability of your keys and secrets. See the Azure paired regions document for details on specific region pairs.||Same as Kubernetes cluster|
|Audit logs||Detailed audit logs are captured.||Yes||Kubernetes Auditing is part of the kube-apiserver, and will log all requests that the API Server processes for audit purposes.|
|Access Control||Fine grained roles and policies can be defined to control and provide access to different paths (where secret engines are set) Secret engines can be setup at diff paths based on customer, environment or Data Center etc.||Access control based on Azure creds, service principals and identities.|
|API and CLI||API and CLI providing full functional capability https://www.vaultproject.io/api/secret/||REST API https://docs.microsoft.com/en-us/rest/api/keyvault/|
|Security||Vault data is encrypted at rest as well as during transit. In case of compromise, vault provides a sealing capability which can block/lock the vault restricting any kind of access.||Managed and secured by Microsoft implemented industry standard security algorithms.||Kubernetes secrets are only base64 encoded by default. Kubernetes 1.13 and above supports encryption but has to be configured explicitly.|
|Backup and High Availability||Self Operated||Managed||Self Operated|
Feature Comparison –
|Feature||Hashicorp Vault||Azure Key Vault||Kubernetes Secrets|
|Dynamic Secrets (secrets created at runtime and expired after use)||Yes||No||No|
|Certificate Management||Yes||Yes||Yes, (certs stored as secrets)|
|Data Encryption||Yes||Yes||Yes (Needs additional config)|
|Key Rotation (Lease and Renewal)||Yes||Yes||No|
|Access control (ACL)||Yes||Yes||Yes (no control on pod admin access)|
|Integration with variety of Databases and Tools||Yes||No||No|
|Custom Plugin Support||Yes||No||No|
|Kill Switch In case of compromise (seal vault)||Yes||No||No|
Hashicorp Vault is currently a market leader in vault solutions and has the most comprehensive feature coverage. The biggest challenge with Hashicorp Vault is to operate and manage it. As a user you are responsible to setup, maintain HA, backup, scalability etc which can take quite some operations effort.
Azure Key Vault on the other hand is completely managed by Azure and is one if its tier 1 services. So as a user you only have to worry about its integration and forget about everything else.
If you go with Hashicorp Vault Enterprise then the cost difference between Azure Key Vault and Hashicorp Vault can be significant. Hashicorp Vault Licensing model is quite complex and high on cost. Hashicorp Vault Enterprise costs around $300K per cluster while Azure Key Vault costs only around $0.03/10,000 transactions.
Kubernetes Secrets is a built in service of Kubernetes and requires no additional operations effort. It has its own limitations as mentioned in the comparison.
Let us know about your experience and views on secrets management and vault solutions in comments.
Checkout more articles on Microservices.