2015-05-02 22:05:32 +00:00
|
|
|
---
|
|
|
|
layout: "intro"
|
|
|
|
page_title: "Vault vs. Keywhiz"
|
|
|
|
sidebar_current: "vs-other-keywhiz"
|
|
|
|
description: |-
|
|
|
|
Comparison between Vault and Keywhiz.
|
|
|
|
---
|
|
|
|
|
|
|
|
# Vault vs. Keywhiz
|
|
|
|
|
2016-08-22 13:19:13 +00:00
|
|
|
Keywhiz is a secret management solution built by Square. Keywhiz has a
|
|
|
|
client/server architecture based on a RESTful API. Clients of Keywhiz access
|
|
|
|
secrets through the API by authenticating with a client certificate or cookie.
|
|
|
|
To allow for flexible consumption of secrets by arbitrary software, clients may
|
|
|
|
also make use of a FUSE filesystem to expose secrets as files on disk, and use
|
|
|
|
Unix file permissions for access control. Human operators may authenticate
|
|
|
|
using a cookie-based authentication either via command line utilities or
|
|
|
|
through a management web interface.
|
2015-05-02 22:05:32 +00:00
|
|
|
|
2016-08-22 13:19:13 +00:00
|
|
|
Vault similarly is designed as a comprehensive secret management solution. The
|
|
|
|
client interaction with Vault is flexible both for authentication and usage of
|
|
|
|
secrets. Vault supports [mTLS authentication](/docs/auth/cert.html) along with
|
2018-04-03 11:53:38 +00:00
|
|
|
many [other mechanisms](/docs/auth/index.html). The goal is to make it easy
|
2016-08-22 13:19:13 +00:00
|
|
|
to authenticate as a machine for programmatic access and as a human for
|
2015-05-13 07:08:15 +00:00
|
|
|
operator usage.
|
2015-05-02 22:05:32 +00:00
|
|
|
|
2016-08-22 13:19:13 +00:00
|
|
|
Vault and Keywhiz expose secrets via an API. The Vault [ACL
|
|
|
|
system](/docs/concepts/policies.html) is used to protect secrets and gate
|
|
|
|
access, similarly to the Keywhiz ACL system. With Vault, all auditing is done
|
2017-09-21 21:14:40 +00:00
|
|
|
server side using [audit devices](/docs/audit/index.html).
|
2015-05-02 22:05:32 +00:00
|
|
|
|
2016-08-22 13:19:13 +00:00
|
|
|
Keywhiz focuses on storage and distribution of secrets and supports rotation
|
|
|
|
through secret versioning, which is possible in the Keywhiz UI and command-line
|
|
|
|
utilities. Vault also supports dynamic secrets and generating credentials
|
|
|
|
on-demand for fine-grained security controls, but adds first class support for
|
|
|
|
non-repudiation. Key rotation is a first class concern for Keywhiz and Vault,
|
|
|
|
so that no external systems need to be used.
|
2015-05-02 22:05:32 +00:00
|
|
|
|
2018-01-15 19:33:41 +00:00
|
|
|
Lastly, Vault forces a mandatory lease contract with clients. All secrets read
|
2015-05-02 22:05:32 +00:00
|
|
|
from Vault have an associated lease which enables operators to audit key usage,
|
|
|
|
perform key rolling, and ensure automatic revocation. Vault provides multiple
|
2016-08-22 13:19:13 +00:00
|
|
|
revocation mechanisms to give operators a clear "break glass" procedure after a
|
|
|
|
potential compromise.
|