Tradeoff on secret management

Market players

• Azure Key Vault
• Keepas/Lastpass
• Hashicorp vault
• CyberArk Conjur -- > Same as Hashicorp vault with less functionalities
• Bitwarden

Introduction

This tradeoff aims at comparing secret application management to select the fittest for the needs of COPRS project. To perform this task, this tradeoff will use the following criteria:

• Cloud native
• Server deployment
• Traceability, audit and compliance
• Security level
• Features
• Reputation/Community
• Licensing
• Compatibility with Kubernetes and container technology
• Cost/Resources
• Hardening ...

Market players analyze

Azure Key Vault

Azure Key Vault is a cloud service for securely storing and accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, or cryptographic keys.

• Cloud native -- >Yes - Only accessible from Azure or Windows
• Server deployment -- > No - No service can be downloaded for Linux
• API management -- > Yes
• Traceability, audit and compliance -- >Yes - Log records and audit Secret usage
• Authentication Local/Centralized -- > Centralized
• Security level -- > Very high - Can be protected by HSM for premium account
• Features -- >
  • Use identity-based access control instead of cryptographic keys.
  • Use standard and recommended encryption algorithms.
  • Store keys and secrets in managed key vault service. Control permissions with an access model.
  • Rotate keys and other secrets frequently. Replace expired or compromised secrets.
• Reputation/Community -- > Medium – Stackshare Stacks 42 Followers 47
• Licensing -- > Customer based
• Compatibility with Kubernetes and container technology Yes (plugin C.S.I Container Storage Interface)
• Cost/Resources 0,026 €/10 000 transactions
• Hardening -- > High - Software-protected keys in safes (SKU Premium and Standard) FIPS 140-2 niveau 1

---

• Pro : high security (HSM storage)
• Cons : dedicated to windows feature

---

Sources

• https://docs.microsoft.com/en-us/azure/key-vault/general/security-features
• https://docs.microsoft.com/en-us/azure/key-vault/managed-hsm/overview

Keepas/Lastpass

Keepass and Lastpass have the same feature (with plugin/addon for keepass). The difference is in the support and better UI for Lastpass, but in case of that Keepass is full free than Lastpass avec paid version (for the support).

• Cloud native -- > No
• Server deployment -- > Yes – multi-platform
• API management -- > Yes – Via plugin keerest
• Traceability, audit and compliance -- >No -
• Authentication Local/Centralized -- > Local or Centralized(keerest)
• Security level -- > Very high - Certified by ANSSI
• Features -- >
  • Multiple User Keys
  • Portable and No Installation Required, Accessibility
  • Export To TXT, HTML, XML and CSV Files
  • Import from Many File Formats
  • Easy Database Transfer
  • Support of Password Groups
  • Time Fields and Entry Attachments
  • Strong Random Password Generator
• Reputation/Community -- > High - Stackshare Stacks 63 Followers 73 and 11.3K GitHub stars and 911 GitHub forks
• Licensing -- > Open Sources (GNUV2)
• Compatibility with Kubernetes and container technology -- > No
• Cost/Resources -- > 3 euro/month (Lastpass)
• Hardening -- > High
  • Advanced Encryption Standard (AES / Rijndael) 256 bits NIST FIPS 197
  • ChaCha20 256 bits RFC 7539

---

• Pro : ANSSI certification et big community
• Cons : Poor ad equation with cloud aspect

---

Sources

• https://connect.ed-diamond.com/MISC/misc-108/keerest-mettez-du-devops-dans-votre-keepass
• https://www.ssi.gouv.fr/entreprise/certification_cspn/keepass-version-2-10-portable/
• https://keepass.info/plugins.html

Hashicorp vault

Hashicorp Vault is a tool for securely accessing secrets. A secret is anything that you want to tightly control access to, such as API keys, passwords, certificates, and more. Vault provides a unified interface to any secret, while providing tight access control and recording a detailed audit log.

• Cloud native -- > Yes
• Server deployment -- > Yes
• API management -- > Yes – API/CLI/WEB
• Traceability, audit and compliance -- >Yes - Log records and audit Secret usage
• Authentication Local/centralized -- > Local or Centralized (OAuth, OpenID Connect compatible)
• Security level -- > Very high
• Features -- >
  • Secure Secret Storage: Vault encrypts these secrets prior to writing them to persistent storage
  • Dynamic Secrets: Vault can generate secrets on-demand for some systems, such as AWS or SQL databases.
  • Data Encryption: Vault can encrypt and decrypt data without storing it.
  • Leasing and Renewal: All secrets in Vault have a lease associated with it.
  • Revocation: Vault has built-in support for secret revocation
• Reputation/Community -- > Very High - Stackshare Stacks 593 Followers 611 and 22K GitHub stars and 3.1K GitHub forks
• Licensing -- > Open Sources (Open Source Software ("FOSS"))
• Compatibility with Kubernetes and container technology -- > Yes
• Cost/Resources -- > Cloud version: 0,03$/hr
• Hardening -- > Very High
  • aes128-gcm96: AES-GCM with a 128-bit AES key and a 96-bit nonce; supports encryption, decryption, key derivation and convergent encryption
  • aes256-gcm96: AES-GCM with a 256-bit AES key and a 96-bit nonce; supports encryption, decryption, key derivation and convergent encryption (default)
  • chacha20-poly1305: ChaCha20-Poly1305 with a 256-bit key; supports encryption, decryption, key derivation and convergent encryption
  • ed25519: Ed25519; supports signing, signature verification and key derivation
  • ecdsa-p256: ECDSA using curve P-256; supports signing and signature verification
  • ecdsa-p384: ECDSA using curve P-384; supports signing and signature verification
  • ecdsa-p521: ECDSA using curve P-521; supports signing and signature verification
  • rsa-2048: 2048-bit RSA key; supports encryption, decryption, signing and signature verification
  • rsa-3072: 3072-bit RSA key; supports encryption, decryption, signing and signature verification
  • rsa-4096: 4096-bit RSA key; supports encryption, decryption, signing and signature verification

---

• Pro: The popularity, the large functionalities, the huge security, big flexibility
• Cons : Lot a functionalities that we not need

---

Sources

• https://github.com/hashicorp/vault
• https://www.socallinuxexpo.org/sites/default/files/presentations/SCALE%202020-Secrets%20Management_0.pdf
• https://blog.wescale.fr/2019/09/11/vault-cookbook/

Bitwarden

Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. Bitwarden offers a cloud-hosted service as well as the ability to deploy the solution on-premises.

• Cloud native -- > Yes -
• Server deployment -- > Yes – Multiplatform, mobile included
• API management -- > Yes – API/CLI/WEB
• Traceability, audit, and compliance -- >Yes - Log records and audit Secret usage
• Authentication Local/Centralized -- > Local and Centralized
• Security level -- > High
• Features -- >
  • End-to-end encryption: All cryptographic keys are generated and managed by the client is done locally.
  • Zero knowledge encryption: Your data remains encrypted end-to-end with your individual email and Master Password.
  • Secure password sharing: A combination of Asymmetric and Symmetric encryption protects sensitive information as it is shared.
  • Open source and source available code: The source code for all Bitwarden software products is hosted on GitHub
  • Privacy by design: Bitwarden stores all of your logins in an encrypted vault that syncs across all of your devices.
  • Security Audit & Compliance: Open source and third-party audited, Bitwarden complies with AICPA SOC2 Type 2 / Privacy Shield, GDPR, and CCPA regulations.
• Reputation/Community --> High – Stackshare Stacks 146 Followers 212 and 8.5K GitHub stars and 720 GitHub forks
• Licensing -- > Open sources
• Compatibility with Kubernetes and container technology --> Yes
• Cost/Resources -- > free ( 10$/year for hosted one)
• Hardening -- > High –
  • AES-CBC 256-bit encryption, salted hashing
  • PBKDF2 SHA-256

---

• Pro: Platform compatibility, really secured, cloud compatible.
• Cons : Missing “less privilege” and “HA function”

---

Sources

• https://bitwarden.com/images/resources/security-white-paper-download.pdf
• https://www.safetydetectives.com/best-password-managers/bitwarden/
• https://en.wikipedia.org/wiki/Bitwarden
• https://github.com/bitwarden

Conclusion

It exists a lot of Secret Vault/Manager, many of these a dedicated to one type of use (I.E configuration management, cloud secret, Devops purpose, etc). This trade of focus on market player which have a good rating and can have feature interesting for our need

Azure key vault, is interesting with high security (HSM storage) but too dedicated to windows feature

Keepass/Last pass have a good point: an ANSSI certification et big community to develop plenty of plugin, addon. Unfortunately, his poor adequation with cloud aspect will never make a good need for our needs

Bitwarden, could be the real competitor. it has a lot of platform compatibility, it is really secured, cloud compatible, but missing some points like “less privilege” or “HA compatible”.

Regarding all the elements cited above, we preconize the use of Hashicorp Vault as Secret manager. The popularity, the large functionalities, the huge security (encryption, data exchange, etc) and The flexibility of deployment make this tool the best choice for our need.