mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 15:11:07 +02:00
Code Issues Projects Releases Wiki Activity

Merge pull request #207 from NathanMcCauley/master

Browse Source 
update info on keywhiz vs vault
This commit is contained in:
Armon Dadgar 2015-05-15 10:33:59 -07:00
commit c01c85fc5b
1 changed files with 17 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
website/source/intro/vs/keywhiz.html.md
View File

@ -9,31 +9,34 @@ description: |-
# Vault vs. Keywhiz # Vault vs. Keywhiz
Keywhiz is a secret management solution built by Square. Keywhiz Keywhiz is a secret management solution built by Square. Keywhiz
has a client/server architecture. Clients of Keywhiz make use of has a client/server architecture based on a RESTful API. Clients of
a FUSE filesystem to expose secrets as files on disk, and use Unix Keywhiz access secrets through the API by authenticating with a client
file permissions for access control. Underneath, the Keywhiz clients certificate or cookie. To allow for flexible consumption of secrets by arbitrary
use mutual TLS (mTLS) to authenticate with a Keywhiz server, which software, clients may also make use of a FUSE filesystem to expose secrets
serves secrets. as files on disk, and use Unix file permissions for access control. Human
operators may authenticate using a cookie-based authentication either via command
line utilities or through a management web interface.
Vault similarly is designed as a comprehensive secret management Vault similarly is designed as a comprehensive secret management
solution. The client interaction with Vault is much more flexible, solution. The client interaction with Vault is flexible
both for authentication and usage of secrets. Vault supports [mTLS both for authentication and usage of secrets. Vault supports [mTLS
authentication](/docs/auth/cert.html) along with many [other authentication](/docs/auth/cert.html) along with many [other
mechanisms](/docs/auth/index.html). The goal being to make it easy to mechanisms](/docs/auth/index.html). The goal being to make it easy to
authenticate as a machine for programmatic access and as a human for authenticate as a machine for programmatic access and as a human for
operator usage. operator usage.
Vault exposes secrets via an API and not over a FUSE filesystem. The Vault and Keywhiz expose secrets via an API. The Vault
[ACL system](/docs/concepts/policies.html) is used [ACL system](/docs/concepts/policies.html) is used
to protect secrets and gate access, and depends on server side enforcement to protect secrets and gate access, similarly to the
instead of Unix permissions on the clients. All auditing is also done Keywhiz ACL system. With Vault, All auditing is done
server side using [audit backends](/docs/audit/index.html). server side using [audit backends](/docs/audit/index.html).
Keywhiz focuses on storage and distribution of secrets and decouples Keywhiz focuses on storage and distribution of secrets and supports
rotation, and expects external systems to be used for periodic key rotation. rotation through secret versioning, which is possible in the Keywhiz UI and
Vault instead supports dynamic secrets, generating credentials on-demand for command-line utilities. Vault also supports dynamic secrets and generating credentials
fine-grained security controls, auditing, and non-repudiation. Key rotation on-demand for fine-grained security controls, but adds first class support
is a first class concern for Vault, so that no external system needs to be used. for non-repudiation. Key rotation is a first class concern for Keywhiz and Vault, so
that no external systems need to be used.
Lastly Vault forces a mandatory lease contract with clients. All secrets read Lastly Vault forces a mandatory lease contract with clients. All secrets read
from Vault have an associated lease which enables operators to audit key usage, from Vault have an associated lease which enables operators to audit key usage,