spire VS Vault

wget https://github.com/spiffe/SPIRE/releases/download/v1.11.2/SPIRE-1.11.2-linux-amd64-musl.tar.gz tar zvxf SPIRE-1.11.2-linux-amd64-musl.tar.gz cp -r spire-1.11.2/. /opt/spire/

If this seems a bit complicated, you could use SPIRE server to issue certificates and Otterize SPIRE integration operator to renew them in Kubernetes and update Secrets.

BlindSPOT: https://blindspotsec.com/ Specific graphic from BlindSPOT: https://blindspotsec.com/wp-content/uploads/2021/04/Failure_Before.jpg How to Measure Anything in Cybersecurity Risk: https://www.amazon.com/dp/B01J4XYM16/ Monte Carlo simulation approach: https://embracethered.com/blog/posts/2020/red-teaming-and-monte-carlo-simulations/ D3FEND: https://d3fend.mitre.org/ ATT&CK mappings: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings ATT&CK evals: https://attackevals.mitre-engenuity.org/index.html CALDERA: https://github.com/mitre/caldera Offensive Countermeasures: https://www.amazon.com/dp/1974671690/ SPIFFE: https://spiffe.io/ SPIRE: https://github.com/spiffe/spire Zerotier: https://www.zerotier.com/ Zerotier libzt: https://github.com/zerotier/libzt

The effort to get this going seems the same or more than to get something like this rolling out. spire what do you see as the benefit of your approach.

OpenBao’s development seems heavily reliant on a single person, compared to multiple frequent long-term commiters to Vault.

Not sure if I’d feel comfortable switching from Vault to OpenBao!

OpenBao last 12 months: https://github.com/openbao/openbao/graphs/contributors?from=...

Vault last 12 months: https://github.com/hashicorp/vault/graphs/contributors?from=...

I’ve been running Nomad, Consul, and Vault (aka the full HashiStack) on an AWS EC2 instance for a while now. It worked.

Application Secret – is an additional secret (peppering) used alongside a password at the application level. If password hashes are leaked, attackers will need not only the list of passwords but also the specific secret used by each user. Requirements: UUID v4 minimum, the secret is stored exclusively in the application configuration, not in the database (good example – HashiCorp Vault)

Secure Storage of Credentials: Always store the client_id and client_secret securely. Use environment variables or a secure vault.

HashiCorp Terraform and Vault form a powerful combination in the DevSecOps landscape, embedding security into infrastructure provisioning and secrets management.

You should never store SSH key password directly in your code. I'll do it here purely for demonstration purposes, but in real life scenario I recommend storing and fetching it from remote vault. Just to have manageable "lockdown" procedure in case of security breach.

Furthermore, Hashicorp Vaults source code is open source: https://github.com/hashicorp/vault as part of their believes in the Kerckhoffs's principle. This means they do not believe in security by obscurity. That is why they leverage Golang crypto and x/crypto libraries to handle the heavy lifting associated with encrypting and decrypting data.

I work as an IT consultant. Over the past two years, we've been working with our client on a platform engineering project, where the use of HashiCorp Vault for secrets management was prevalent. Our Vault has enabled us to manage hundreds of credentials, increasing the security of our developer platform, and has resulted in a thorough and battle-tested configuration of our Vault which we can be proud of.

Cloud platforms provide tools like AWS Secrets Manager, Azure Key Vault, and Google Cloud Secret Manager for exactly this purpose. These services, which evolved from patterns Mitchell Hashimoto pioneered with Vault in 2015, store and encrypt your configuration.

Secure Secrets: Consider using Terraform’s Sensitive Variables or integrating with secret management tools like AWS Secrets Manager or HashiCorp Vault.