A Guide to Choosing a Secure Vault for Your Application Secrets and Keys

Pranav ShikarpurPranav Shikarpur
10 min read

So you’ve decided to throw away those .env files with all your app secrets and move to a more secure option. Well first off, congratulations 🎉, you’re on your way to evading cyber attacks involving exposed secrets!

Vault Considerations 🧐

While choosing a Vault service to store your secrets, there are a few factors you must consider:

  • Onboarding speed:

    • How long would it take your engineers to migrate over?

    • Would all my developers have up-to-date secrets?

  • Maintenance and Scalability:

    • Would I need more engineers just to manage my new Vault service?

    • How expensive does it get as my app scales?

  • Integrations:

    • Can I integrate my secrets manager into every platform where my application is run?
  • Secret Management Capabilities:

    • Does the secret manager support periodic rotation of secrets?

    • Does it version my previous secrets, so that I can refer back to older versions?

  • Key Management Capabilities:

    • What types of cryptographic algorithms does it support?

    • Can it periodically rotate my keys automatically?

    • In the world of quantum computing becoming a security threat, does the key manager support Quantum Safe Cryptography Algorithms?

These are a lot of questions you need to be asking while evaluating different Vaults as this could have long-term implications on how secure and fast your team can iterate and focus on app building.

Not to fear, because I’ve done the hard work for you 😉.

I’ve compared 4 different Vaults with an evaluation criteria that answer all the above questions.

Let’s look at our contenders:

  • Pangea Vault

  • Hashicorp Cloud Platform (HCP) Vault Secrets

  • Doppler

  • Hashicorp Vault

Pangea Vault

We built the Pangea Vault service because of a problem we as developers always faced - there’s no dead-simple way to store your app secrets and keys securely in a Vault. Pangea is built on the cardinal rules of cryptography:

  • Never hardcode secrets / keys

  • Always rotate secrets / keys periodically

18 years ago when Google Docs originally came out some skeptics were quick to point out all the features it didn’t have as compared with incumbent Microsoft Word. Obviously, today there are many, many users on Google Docs because it served a need to give just the right feature set to users who didn’t need “power user” features and were often lost in the many features offered in Word. Pangea Vault is much like the Google Docs player of the Vault arena today.

Screenshot of the Pangea Vault Secret Storage UI.

Let’s see how it performs in our evaluation:🕵️

  • Onboarding Speed 🏃:

    • Migration Time: Pangea has tools such as the Pangea CLI that lets you automatically migrate all your app secrets into Pangea’s Secure Vault

    • ⚠️ Team Access: When you invite team members into your Pangea project, they automatically have access to all app secrets in that project (for no extra cost).

      • Note: If you wish to restrict access, those controls can be configured by creating a new Pangea project.
  • Maintenance and Scalability 💪:

    • Scalability: Pangea Vault is a fully-managed service, so you don’t need to sweat about getting more engineering effort to manage the service.

    • Pricing: Generous free tier. Let’s assume for example your app scales and you have ~500 secrets, you’d be paying (500 secrets/keys + 10,000 secret/key operations) = $25.22 / month

  • Integrations ⚒️:

    • CLI: Pangea CLI works with Pangea Vault which allows you to inject secrets into your application runtime

    • ⚠️ External: Pangea Vault offers external integrations through the Pangea SDKs that are supported on most popular languages and frameworks.

  • Secret Management Capabilities 🤫:

    • Secret Rotation: Supports secret rotation which will help secure your apps, DBs, and other infrastructure

    • ✅ Secret Versioning: supports storing version history of old secrets after app secrets have been updated/rotated.

Key Management Capabilities 🔐:

  • Key Generation: Supports most NIST-recommended asymmetric and symmetric key generation algorithms

  • Key Rotation: Supports periodic key rotation ensuring secure data encryption practices.

  • Folder-based Rotation Policies: Supports the ability to add rotation policies to your entire folder of app keys.

  • Post Quantum Safe Algorithms: Supports NIST-certified cryptographic keys resistant against quantum computers. Signing algorithms (Dilithium-3 and SPHINCS) are currently supported, and encryption algorithms coming soon!

Who is Pangea Vault great for?

Pangea is great if you’re looking for an affordable all-in-one managed solution to securely store your keys and secrets and is part of a larger platform of security services that can reduce the overhead of adoption and learning of security to devs. Pangea is SOC2, ISO27001, and HIPAA compliant making it suitable for use in most industries. Pangea’s generous free tier and ease of setup allow you to use it from the start and scale up without having to sweat about growing infrastructure.

HCP Vault Secrets

Hashicorp Vault Secrets is a hosted secrets management platform that was released by the Hashicorp team in October 2023. HCP Vault Secrets is a good secrets management tool that lets you store secrets without having to take the burden of managing infrastructure, unlike Hashicorp Vault.

Let’s see how it performs on our evaluation metric 🕵️

  • Setup Speed 🏃:

    • Migration Time: HCP Vault Secrets has a simple method of importing secrets directly through the WebUI

    • ⚠️ Team Access: Although you can invite other team members, there is no way to restrict access to certain applications’ secrets. Invited team members get access to all secrets in all applications.

  • Maintenance and Scalability 💪:

    • Scalability: HCP Vault Secrets is a fully managed service, so you don’t need to sweat about getting more engineers to manage Vault infrastructure.

    • ⚠️ Pricing: Only 25 secrets are provided in the free tier. Assuming your app scales and you have ~500 secrets, you’d be paying (0.50 * 500) = $250 / month

  • Integrations ⚒️:

    • CLI: Vault CLI works with HCP Vault Secrets which allows you to inject secrets into the application runtime

    • External: HCP Vault Secrets also provides an extensive set of integrations with GitHub Actions, Vercel, and other Hashicorp products like Terraform

  • Secret Management Capabilities 🤫:

    • ⚠️ Secret Rotation: Supports periodic key rotation only in the paid tier

    • ❌ Secret Versioning: Doesn’t support secret versioning for the purposes of rollbacks.

  • Key Management Capabilities 🔐:

    • ❌ Unfortunately, HCP Vault Secrets doesn’t support storing cryptographic keys for actions such as data encryption, PKI / CA management, and message signing.

    • Post Quantum Safe Algorithms: Doesn’t support any key management algorithms.

Who is HCP Vault Secrets great for?

HCP Vault Secrets is a good option if you’re looking for a simple way to upload app secrets for a smaller / personal project with basic functionality. It might NOT be a great option if you expect to see your app scale in the future or if you’d like to have the ability to store a large number of secrets or use key management features for operations such as data encryption.

Doppler

Doppler is a managed Vault solution for your app secrets. It is a good pick with its simplistic UI design that lets you store app secrets in different environments for each application.

Let’s see how it performs on our evaluation metric 🕵️

  • Setup Speed 🏃:

    • Migration Time: Doppler has a simple feature to importing secrets directly through the WebUI from any .env, json, or YAML file.

    • ⚠️ Team Access: Under the free tier you can invite a maximum of 3 developers to use Doppler. Restricting access to certain app secrets is available only in the paid team plan.

  • Maintenance and Scalability 💪:

    • Scalability: Doppler is a fully-managed service, so you don’t need to sweat about getting more engineers to manage the vault.

    • ⚠️ Pricing: (by seats) Only up to 3 developers in the free tier. Once your team scales to, for instance, 10 members, you’d be paying (10 * 18) = $180 / month

  • Integrations ⚒️:

    • CLI: Doppler CLI works with Doppler which allows you to inject secrets into your application runtime

    • External: Doppler provides external integrations to a large set of popular deployment platforms and tools such as Vercel, GitHub Actions, Terraform, etc. However, the free tier only supports up to a max of 5 external integrations.

  • Secret Management Capabilities 🤫:

    • ⚠️ Secret Rotation: Supports secret rotation but only on the paid team plan

    • ✅ Secret Versioning: Supports storing version history of old secrets after app secrets have been updated / rotated.

  • Key Management Capabilities 🔐:

    • ⚠️ Key Generation: Only supports AES-256 and AES-128 for symmetric key types as well as elliptic curve cryptographic keys for asymmetric key types.

    • ⚠️ Key Rotation: Supports periodic key rotation only in the paid team plan

    • Post Quantum Safe Algorithms: Does not support any quantum-safe cryptographic algorithms resistant against quantum computers.

Who is Doppler great for?

Doppler is a good option if you’re looking for a secrets manager for a small team to store secrets and a minimal number of keys. It may NOT be a good option if you expect your team size to grow (due to the per-seat pricing model) and might also NOT be good if you want to set your organization up for quantum-safe data security.

Hashicorp Vault

Hashicorp is a self-hosted secret and key management software that is used by many enterprises. Vault was first launched in 2015, and has since been a popular tool adopted by developers. While the software is trusted by many enterprise companies, like with most software products, due to its significant increase in features over the years, the software has become a lot more tedious to set up, maintain, and scale.

Let’s see how it performs on our evaluation metric 🕵️

  • Setup Speed 🏃:

    • Migration Time: There are no migration tools from Hashicorp to migrate secrets to Hashicorp Vault directly. Many of them are third-party tools which usually increases the amount of engineering time spent on the migration.

    • Team Access: Has a full-fledged IAM authorization system (similar to AWS) which allows administrators to restrict or allow team members access to any app secrets.

  • Maintenance and Scalability 💪:

    • Scalability: Infrastructure for Hashicorp Vault needs to be managed by developers which could quickly become a burden on the company and slow down your development as the app scales. Hashicorp does offer a hosted version of Vault, which reduces this burden by a bit, but an administrator who understands how to securely configure Vault is still required.

    • ⚠️ Pricing: (pricing is based on infrastructure cost) For a production instance, on Hashicorp Cloud Platform = ~$360 / month

  • Integrations ⚒️:

    • CLI: Vault CLI works with Hashicorp Vault which allows you to inject secrets into your application runtime

    • External: Hashicorp Vault supports external integrations with many popular providers such as AWS Secrets Manager, AWS Lambdas, GitHub Actions, as well as all other Hashicorp products.

  • Secret Management Capabilities 🤫:

    • Secret Rotation: Supports secret rotation to maintain secure secrets across your application environments.

    • ✅ Secret Versioning: Supports storing version history of old secrets after app secrets have been updated / rotated for the purposes of rollbacks.

  • Key Management Capabilities 🔐:

    • ⚠️ Key Generation: Supports most NIST-certified encryption key algorithms but no signing key algorithms such as ED25519 a popular signing key algorithm used by developers.

    • ✅ Key Rotation: Supports periodic key rotation.

    • ❌ Post Quantum Safe Algorithms: Does not support any quantum-safe cryptographic algorithms resistant against quantum computers.

Who is Hashicorp Vault great for?

Hashicorp Vault is great for large companies and enterprises that want to keep all their secrets on-prem / self-hosted and have the resources to set up, maintain, and scale their Hashicorp Vault clusters. Hashicorp Vault might NOT be great for developer teams that are looking for a secret manager that’s quick to set up and integrate into their applications with no infrastructure maintenance.

TL;DR

Comparison table of different secrets and key managers comparing Pangea Vault, HCP Vault Secrets, Hashicorp Vault, and Doppler.

While all the above platforms are great choices each having its pros and cons, Pangea Vault is the best all-rounded, dead simple solution to store your app secrets and keys in a quick, affordable, and scalable way. Sign up today and use Vault with your app for free at https://l.pangea.cloud/Z4iVJDU.

0
Subscribe to my newsletter

Read articles from Pranav Shikarpur directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Pranav Shikarpur
Pranav Shikarpur