What are the best shared secret managers?

Question

Sysadmin

What are the best shared secret managers?

12

Options
Considered

22

User
Recs.

Jan 25, 2022

Last
Updated

12 Options Considered

Best shared secret managers	Price	Last Updated
-- Ansible Vault	-	Sep 3, 2019
-- Box Enterprise Key Management	-	Apr 10, 2018
-- HashiCorp Vault	-	Feb 7, 2020
-- CloudFlare Red October	-	Jan 25, 2022
-- Conjur	-	Nov 8, 2017

See Full List

Built By the Slant team

Find the best product instantly.

4.7 star rating

Try it now - it's free

score 3 · Answer 1

Ansible Vault

Top Pro

The documentation does a good job on explaining how to use it

The official documentation of Ansible vault does a great job at explaining how Ansible Vault works and how to use the easy UI for encrypting, decrypting, and re-keying your secrets for storing in source control. See More

Top Con

No way of exposing just the key in the key-value pair

Ansible vault files are encrypted YAML key-value stores. The entire file is encrypted, and so it's impossible to indicate which keys are defined within the vault without also viewing values. See More

Top Pro

Allows keeping encrypted data in ansible playbooks easily

Ansible uses configuration files called playbooks which are used to describe a policy that the remote system needs to follow. Though there is often a need to keep data from these configurations files encrypted when using source control. Doing this in Ansible's Vault is pretty easy, simply running: ansible-playbook site.yml --ask-vault-pass will run a playbook which uses encrypted data. See More

See All

score 3 · Answer 2

Box Enterprise Key Management

Top Con

Costs more than the standard Box service

Box EKM is built as a complementary but still separate service than the storage service that Box provides. As such, it costs extra to use EKM to store secrets of data hosted with Box's cloud hosting. See More

Top Pro

Box provides cloud services with enterprise maintaining control over encryption keys

Box provides dedicated hardware (HSMs) that the enterprise has complete control over and can provide access to Box in a granular way with Box in turn providing cloud services such as deduplication, search indexing, information rights management, etc. See More

score 6 · Answer 3

HashiCorp Vault

Top Pro

Free and open source

Hashicorp Vault is a free and open source tool. The source code is available on GitHub. See More

score 1 · Answer 4

CloudFlare Red October

Top Pro

Fully open source

Red October is fully open source, from the encryption library to the UI modules. Everyone can inspect the code hosted on GitHub or fork it and implement it to suit their needs if they have to. See More

Top Con

Uses its own crypto library

Red October uses its own crypto implementation in to encrypt secrets. While it's not necessarily a security risk, it would be safer to use a crypto library that has proven it's worth and that has been used for a long time in a lot of projects. See More

Top Pro

Uses the "two-man rule" for extra security

Red October was built to add an extra layer of security inside organizations. The "two-man rule" that Red October employs means that data can only be decrypted if two or more users provide the necessary keys. See More

See All

score 2 · Answer 5

Conjur

Top Pro

Can bundle different cloud services into a single interface

If a company uses more than a cloud service on which they run their platform, you don't need to use a different service to manage secrets for each of them, instead Conjur bundles all of them in a simple to use user interface. See More

Top Pro

Easy setup

Setting up Conjur is pretty easy. All a user has to do is install the client, set up an account and through the guidance of the user interface, choose the operations with which the developers will use to control their data and servers. See More

Top Pro

Provides tools for monitoring activity

Conjur provides detailed information on activity of all users and changes within the secret storage. It also provides graphs and comes with a warning system to make monitoring easier. See More

See All

score 1 · Answer 6

LastPass Enterprise Shared Folders

Top Pro

Accessible to non-technical people

LastPass provides a straightforward graphical user interface for creating and managing shared folders, secrets and user-groups. It does not require understanding the underlying technology to use. See More

Top Con

The service has security issues

On Jun 15, 2015 LastPass issued a statement that attackers gained access to their system and got their hands on hashed master passwords. See More

score 2 · Answer 7

StackExchange Blackbox

Top Pro

Easily share secrets with other team members

Since the secrets file is stored in the remote VCS server, anyone that has access to it (team members) also have access to the secrets file. See More

Top Pro

Free and open source

StackExchange Blackbox is free and open source. It's released under the MIT license and its source code is freely available on GitHub. See More

Top Pro

Uses a VCS repo to store the secrets

SE Blackbox works with Git, Mercurial, Subversion and Perforce to store encrypted secrets file in a repository. Files are automatically encrypted and decrypted using GNU Privacy Guard. See More

See All

score 3 · Answer 8

SecretHub

Top Pro

Client-side encryption

Everything is encrypted client-side. Only the people or machines you share a secret with, can decrypt it. See More

Top Pro

Audit logging

Every action you or your team members perform is logged. The audit logs give you full insight into who did what, when. See More

Top Pro

Open Source

All client-side code is available on GitHub. See More

Top Pro

As a Service

Do not worry about hosting your secret management solution, it is provided As as Service. See More

See All

Answer 9

Keywhiz

Top Pro

Versioning support

Keywhiz supports versioning secrets through its admin UI or CLI utilities. See More

Top Con

Still in alpha stage

Keywhiz is still in a very early stage of its development and may not be ready for production yet since it's prone to changes and may have some security issues. See More

score 1 · Answer 10

Amazon Key Management Service

Top Pro

Extremely secure

Amazon has used a lot of techniques to harden the process of storing and securing keys in its service. For example, keys are not stored on disk, nor are they allowed to persist in memory. Amazon employees can not access a user's secret keys physically and the keys themselves are stored in the same geographical region as the application they belong to. See More

Top Con

Does not generate certificates

KMS does not generate certificates, in order to generate them you have to roll out your own solution. See More

Top Pro

Easy to use from a single dashboard

AWS Key Management Service offers a single unified dashboard that teams can use to manage and store their secrets used in applications hosted on AWS services. In the dashboard users can create keys, retrieve them and audit key usage through detailed information offered to them See More

See All

Answer 11

Chef Encrypted Data Bags

Answer 12

Thycotic Secret Server

Top Pro

Free Version Available

NB: Free edition does not have all features. See comparison chart: https://thycotic.com/products/secret-server/features/ See More

Top Con

Prices are not published

To gain a quote, you need to contact Thycotic Sales; prices are not published openly on their site. You can obtain a quote via: https://thycotic.com/products/request-a-quote/ See More

Top Pro

Geo-Replication

Top Con

More advanced features incur a cost

See https://thycotic.com/products/secret-server/features/ for comparison of editions. See More

Top Pro

Clustering (HA)

Top Pro

Unlimited Admin / Break Glass

Top Pro

Custom Ticket System Integration

Top Pro

SSH Dependencies

Top Pro

SQL Dependencies

Top Pro

PowerShell Dependencies

Top Pro

PowerShell Password Changing

Top Pro

Application API

Top Pro

Web Services API

Top Pro

SSH Key Management

Top Pro

Unix SUPM

Top Pro

Keystroke Logging

Top Pro

Session Monitoring

Top Pro

Session Recording

Top Pro

Proxying RDP & SSH

Top Pro

HSM Integration

Top Pro

SAP Integration

Top Pro

IBM z/OS Integration

Top Pro

SIEM Integration

Top Pro

SAML Integration

Top Pro

CRM Integration

Top Pro

Vulnerability Scanning Integration

Top Pro

Workflow: Native Ticket System Integration

Top Pro

Workflow: Checkout (OTP)

Top Pro

Workflow: DoubleLock

Top Pro

Workflow: Request Access

Top Pro

Workflow: Require Comment

Top Pro

FIPS Compliance

Top Pro

Custom Reports

Top Pro

Scheduled Reports

Top Pro

Event Subscriptions

Top Pro

Dual Control

Top Pro

Discover and Manage Service Accounts

Top Pro

Discovery Rules

Top Pro

Discover Local Accounts

Top Pro

Automated Distributed Engine

Top Pro

Automated Secret Policy

Top Pro

Automated Heartbeat

Top Pro

Automated Changing of Network Passwords

Top Pro

IP Address Restrictions

Top Pro

Automatic Backups

Top Pro

Email Notifications

Top Pro

Auditing & Reports

Top Pro

Password “Hiding”

Top Pro

Smartphones and Devices

Top Pro

Import / Export

Top Pro

Web Password Filler

Top Pro

RDP/PuTTY Support

Top Pro

Active Directory Integration

Top Pro

File Attachments

Top Pro

Folders & Permissions

Top Pro

Role Based Access Control

Top Pro

Two Factor Authentication

Top Pro

AES 256 Encryption

Uses a recognised secure encryption protocol. See More

See All

12 Options Considered

My Recommendation for Ansible Vault

My Recommendation for Ansible Vault

The documentation does a good job on explaining how to use it

No way of exposing just the key in the key-value pair

Allows keeping encrypted data in ansible playbooks easily

My Recommendation for Box Enterprise Key Management

My Recommendation for Box Enterprise Key Management

Costs more than the standard Box service

Box provides cloud services with enterprise maintaining control over encryption keys

My Recommendation for HashiCorp Vault

My Recommendation for HashiCorp Vault

Free and open source

My Recommendation for CloudFlare Red October

My Recommendation for CloudFlare Red October

Fully open source

Uses its own crypto library

Uses the "two-man rule" for extra security

My Recommendation for Conjur

My Recommendation for Conjur

Can bundle different cloud services into a single interface

Easy setup

Provides tools for monitoring activity

My Recommendation for LastPass Enterprise Shared Folders

My Recommendation for LastPass Enterprise Shared Folders

Accessible to non-technical people

The service has security issues

My Recommendation for StackExchange Blackbox

My Recommendation for StackExchange Blackbox

Easily share secrets with other team members

Free and open source

Uses a VCS repo to store the secrets

My Recommendation for SecretHub

My Recommendation for SecretHub

Client-side encryption

Audit logging

Open Source

As a Service

My Recommendation for Keywhiz

My Recommendation for Keywhiz

Versioning support

Still in alpha stage

My Recommendation for Amazon Key Management Service

My Recommendation for Amazon Key Management Service

Extremely secure

Does not generate certificates

Easy to use from a single dashboard

My Recommendation for Chef Encrypted Data Bags

My Recommendation for Chef Encrypted Data Bags

My Recommendation for Thycotic Secret Server

My Recommendation for Thycotic Secret Server

Free Version Available

Prices are not published

Geo-Replication

More advanced features incur a cost

Clustering (HA)

Unlimited Admin / Break Glass

Custom Ticket System Integration

SSH Dependencies

SQL Dependencies

PowerShell Dependencies

PowerShell Password Changing

Application API

Web Services API

SSH Key Management

Unix SUPM

Keystroke Logging

Session Monitoring

Session Recording

Proxying RDP & SSH

HSM Integration

SAP Integration

IBM z/OS Integration

SIEM Integration

SAML Integration

CRM Integration

Vulnerability Scanning Integration

Workflow: Native Ticket System Integration

Workflow: Checkout (OTP)

Workflow: DoubleLock