When comparing CloudFlare Red October vs Ansible Vault, the Slant community recommends Ansible Vault for most people. In the question“What are the best shared secret managers?” Ansible Vault is ranked 1st while CloudFlare Red October is ranked 4th. The most important reason people chose Ansible Vault is:
The official documentation of Ansible vault does a great job at explaining how Ansible Vault works and how to use the easy UI for encrypting, decrypting, and re-keying your secrets for storing in source control.
Ranked in these QuestionsQuestion Ranking
Pros
Pro Fully open source
Red October is fully open source, from the encryption library to the UI modules. Everyone can inspect the code hosted on GitHub or fork it and implement it to suit their needs if they have to.
Pro Uses the "two-man rule" for extra security
Red October was built to add an extra layer of security inside organizations. The "two-man rule" that Red October employs means that data can only be decrypted if two or more users provide the necessary keys.
Pro The documentation does a good job on explaining how to use it
The official documentation of Ansible vault does a great job at explaining how Ansible Vault works and how to use the easy UI for encrypting, decrypting, and re-keying your secrets for storing in source control.
Pro Allows keeping encrypted data in ansible playbooks easily
Ansible uses configuration files called playbooks which are used to describe a policy that the remote system needs to follow. Though there is often a need to keep data from these configurations files encrypted when using source control.
Doing this in Ansible's Vault is pretty easy, simply running: ansible-playbook site.yml --ask-vault-pass
will run a playbook which uses encrypted data.
Cons
Con Uses its own crypto library
Red October uses its own crypto implementation in to encrypt secrets. While it's not necessarily a security risk, it would be safer to use a crypto library that has proven it's worth and that has been used for a long time in a lot of projects.
Con No way of exposing just the key in the key-value pair
Ansible vault files are encrypted YAML key-value stores. The entire file is encrypted, and so it's impossible to indicate which keys are defined within the vault without also viewing values.