

I do love both, but for different use cases, so let me list the main differences I see between both, and hopefully, it will give you enough context to make your choice: Should you use Vault or AWS SSM Parameter Store? (you get the key, encrypt or decrypt it, but you don’t have to deal with the encryption key security: Vault manages that for you, so you can just clean it from memory, and get it back from Vault the next time) or, if the data you want to encrypt/decrypt is "large" (depending on your use case), you can use it to get a data key you can use to locally encrypt/decrypt your data.Or you can do the reverse, and call it with a keyring reference, some cipher text, and ask it to decrypt this and get the data back (assuming you have the correct policies) then you can it with a keyring reference to either encrypt some stuff, and get some encrypted cipher text back that you can store in a database, or in a file.you call it to create a keyring (think about it as a data encryption key, with rotation mechanisms built in, hence the keyring.).The transit secrets engine can be seen as "encryption as a service": Vault key-value secrets engine let you store the secret, and Vault manages the encryption, audit logs, accesses (and versions if you use KV v2)

You probably don’t want to use KMS directly (because the other solutions give you per secrets/path policies, secret versioning, audit logs, all features you probably want/need that KMS won’t give you directly) Vault KV secrets engine versus Vault transit secrets engine And if you deploy Vault in AWS, you’ll probably use KMS too to unseal and as the master key. Parameter store will use KMS under the hood to manage its encryption keys. Is there some limitation or a possible problem (for this use-case) with Vault KV I should be aware of?ĪWS KMS is really only to manage the main master key. But I'm not sure if Vault KV is the right fit. Since I'm building a very small application, if I decide to use the Vault KV, I won't need a database at all. Now I'm deciding between using AWS KMS (and storing the secrets encrypted in a database (AWS RDS) using envelope encryption) and Hashicorp Vault.įrom what I've read, I've come to the conclusion, that Vault KV is mainly for infrastructure secrets and Vault Transit might be somewhat equivalent to AWS KMS (as in, better for customer-provided secrets).

I was first considering AWS Secrets Manager, which is very expensive and IMHO mainly for infrastructure secrets (database passwords, API keys. I need to store very sensitive secrets that a user provides me with (username+password+certificate for authenticating into a 3rd party API).
