Avassa Secrets Management and Hashicorp Vault – A Comparison
Avassa Secrets Management and Hashicorp Vault are two products with a common objective in addressing the problem of storing secrets securely, both at rest and when in use. They both have extensive support for cryptography operations as well as audit and access control. In this blog, I do a deeper dive to compare the two solutions and their compatibility with distributed edge environments.
How is distributed edge secrets management different from central cloud-based? Let’s compare
The key distinctions between Avassa Secrets Management and Hashicorp Vault arise from their unique use cases. Avassa is tailored for distributed edge deployments, capable of scaling across thousands of locations, even with unreliable internet connectivity. In contrast, HashiCorp Vault is designed for cloud and data center environments.
The architecture of Hashicorp Vault is a single cluster with support for adding a few mirrors. It has broad integration with other systems, and an extensive array of plugins and backend database integrations. It does not have support for one-to-many distribution of secrets, nor multi-tenancy.
Avassa Secrets Management is designed for storing secrets, but in particular for distributing secrets from a central location to edge sites. Secrets are only distributed to edge sites where they are needed, limiting the exposure in case of a breach. Avassa was designed for multi-tenancy from the start where each tenant is cryptographically isolated from all other tenants. All secrets associated with a tenant are protected by unique seal and stored separately from other tenants. This can be compared with Hashicorp Vault that provide limited separation through the use of name spaces.
Keep reading: The Edge Ecosystem
Advantages of Using Avassa at the Edge
One of the key advantages of Avassa is that it has been designed specifically for edge deployments from the start, ensuring that it meets the unique challenges of this environment. For instance, Avassa offers extensive support for setting up an edge site with zero-touch provisioning, all while maintaining full secret integrity. This can be achieved through multiple methods, such as using client certificates, or securely storing secrets in pre-populated TPMs (Trusted Platform Modules) or FSMs (Fused Security Modules). Learn about our full set of security features here.
In large-scale deployments with potentially thousands of sites, ensuring that a site can be securely auto-unsealed is crucial. Avassa supports a wide range of options for auto-unsealing, allowing flexibility based on customer requirements. For example, in scenarios where there are multiple hosts at a site, Shamir’s Secret Sharing can be used to distribute critical parts of the unseal secret across hosts, ensuring a higher level of security.
Additionally, Avassa offers support for auto-unsealing even in offline conditions, which is vital for edge locations with intermittent or unreliable connectivity. The security parameters for auto-unsealing can be customized depending on the specific requirements, ensuring that Avassa adapts to a broad range of deployment environments.
These capabilities highlight Avassa’s edge-focused design, ensuring secure, scalable, and reliable secrets management across distributed edge sites.