Scott Williams 🐧

I may have found an #opensource #Hashicorp Vault alternative called #conjur. Going to kick to tires on it on Monday.

EDIT- I may have found better options. See the thread.

https://www.conjur.org/

Home

Secrets management made simple with programmable open source interface that securely authenticates, controls and audits non-human access across all environments.

Conjur
Aug 12, 2023 at 3:19amWeb
Show threadScott Williams 🐧Aug 12, 2023
It's a GPL code base and the getting started page immediately shows off integrating with #Ansible, #Jenkins, and #Kubernetes. We're off to a very promising start!
Show threadScott Williams 🐧Aug 12, 2023
Hmmm, looks like it's actually open core, and things like HA, disaster recovery, and a webUI are a proprietary "Enterprise" add-on.
Show threadScott Williams 🐧Aug 12, 2023

Looks like #Pinterest posted their own #opensource secrets management tool called #knox.

https://github.com/pinterest/knox

GitHub - pinterest/knox: Knox is a secret management service

Knox is a secret management service. Contribute to pinterest/knox development by creating an account on GitHub.

GitHub
Show threadScott Williams 🐧Aug 12, 2023

Looks like #TMobile also published their own. Theirs is currently based on #Hashicorp Vault, so maybe they'll be the one to fork it to maintain their current project? Unfortunately, that repo hasn't been updated in over a year!

https://github.com/tmobile/t-vault

GitHub - tmobile/t-vault: Simplified secrets management solution

Simplified secrets management solution. Contribute to tmobile/t-vault development by creating an account on GitHub.

GitHub
Show threadScott Williams 🐧Aug 12, 2023

It seems they're not the only ones who offload the heavy lifting to #Hashicorp Vault. Looks like a bunch of #opensource projects that extended Vault are going to get screwed by this change.

https://github.com/tellerops/teller

GitHub - tellerops/teller: Cloud native secrets management for developers - never leave your command line for secrets.

Cloud native secrets management for developers - never leave your command line for secrets. - tellerops/teller

GitHub
Show threadScott Williams 🐧Aug 12, 2023

And another "open core" company promising that they'll be different than Hashicorp.

https://infisical.com/blog/hashicorp-new-bsl-license

Hashicorp's New BSL License – What Changed?

Hashicorp switched the license for Vault, Terraform, Nomad, and other products. Learn everything you need to know about this, and how it could affect you.

Infisical Blog
Show threadScott Williams 🐧Aug 12, 2023

Can it be, a promising truly #opensource #Hashicorp #Vault alternative? You can pay for hosting or on-prem support, but the stack appears to be fully FOSS and includes a webUI! #envkey

https://envkey.com/

EnvKey - Simple, secure, open source configuration and secrets manager.

Protect API keys and other secrets with end-to-end encryption. Keep configuration organized and in sync.

Show threadGNU/Matt  Aug 12, 2023

@vwbusguy this looks like a solution for my highly insecure #ansible playbooks too

https://github.com/hactar-is/ansible-envkey

GitHub - hactar-is/ansible-envkey: A lookup plugin for using EnvKey secrets in Ansible playbooks

A lookup plugin for using EnvKey secrets in Ansible playbooks - GitHub - hactar-is/ansible-envkey: A lookup plugin for using EnvKey secrets in Ansible playbooks

GitHub
Show threadScott Williams 🐧Aug 12, 2023
@gnuplusmatt I saw that, but I looked at the lookup source code and I can't imagine that it actually works based on the code posted there. That said, I haven't tried it yet, so if you do, I'll be interested to know if it works for you.
Show threadScott Williams 🐧Aug 12, 2023
@gnuplusmatt Heck, I might just write and publish a lookup myself if it doesn't work.
Show threadScott Williams 🐧Aug 12, 2023
@gnuplusmatt Hmm, I looked at the envkey python library and then at this lookup again and I think it should actually work just fine. I didn't realize that envkey populates os.environ. I'm looking forward to trying it out next week!
Show threadTaggart Aug 12, 2023
@vwbusguy 👀
Show threadNiceGuyITAug 13, 2023

@vwbusguy I ran across Cloak in the past and plan to look into it when I have time. MIT license with hosting as a service. It looks promising but needs to mature.

https://github.com/purton-tech/cloak

GitHub - purton-tech/cloak: Secrets automation for developers

Secrets automation for developers. Contribute to purton-tech/cloak development by creating an account on GitHub.

GitHub
Show threadKaiser Bill’s BatmanAug 18, 2023
@vwbusguy envkey looks very promising!
Show threadAnkit PatiAug 12, 2023

@vwbusguy Vault is easy to replace.

I’m worried about Terraform.