Sam Gabrail – Platform Engineer

A Smarter Vault Alternative

Is HashiCorp Vault really the best option for secrets management?

Or is there a smarter, more cost effective alternative?

Vault is powerful, but let’s be honest, it comes with complexity, high licensing costs, and the steep learning curve.

Setting up clusters, managing your application, and configuring policies can be a headache. And as your infrastructure scales, so do the costs and operational burdens. What if there was a way to simplify security without sacrificing control? In this video, we’re comparing HashiCorp Vault with Akeyless, breaking down architecture, secrets management, authentication, and access policies to show you how Akeyless can streamline security and cut costs.

If you’re looking for a vault alternative that’s easier to manage and more budget friendly, stick around. Let’s get started. In this demo, I really wanna compare the following items. The first is the architecture between Akeyless and HashiCorp vault.

Then we’re gonna take a look at the secrets engines. That’s what it’s called in vault, But in reality, these are really what secrets that we have in both products. Then we’re gonna talk about the authentication methods. That’s how we can access either Akeyless or vault.

Then we’ll talk about policies and access roles, which really is the authorization mechanisms into those systems. And finally, as a bonus at the very end, we’re gonna talk about secure remote access. So stick till the end to learn about that.

Here, I have both products side by side, Akeyless architecture on the left and the vault architecture on the right. And when I talk about architecture, I’m really talking about architecture in terms of scale. Let’s start with vault, and vault has two mechanisms for replication. The first is called performance replication, and the second is disaster recovery or DR replication for short.

So the first thing you wanna think of is where the applications live, and you wanna have a vault cluster wherever the application that you have lives. So if you have an application on the East Coast and one on the West Coast and maybe some applications in central, so you’ll need a cluster in each one of those regions.

And then you can use performance replication to act as an active, active, active kind of setup for all your vault clusters. And then you have replicating secrets across for static secrets. You can’t replicate dynamic secrets because we have the assumption that each application will consume secrets from its local cluster. There’s also the idea of disaster recovery, and you can have a disaster recovery cluster in region or across region.

And, of course, there’s a whole lot of design considerations that has to be put into place as you’re architecting the solution and understanding your RPO, your RTO, how your application behaves and how it’s set up, and what is acceptable from a business perspective.

So as you can see, it can get really complicated really fast. But on top of that, it is pretty pricey. Every cluster you have to pay for both the hardware that you’re standing up in these regions, plus, of course, the additional licensing that you have to pay HashiCorp. Now let’s shift gears to Akeyless.

And on the left hand side, as you can see, we’ve got Akeyless, and you can see external environment public network. So Akeyless is made up of the back end SaaS, and you can see it here on the left hand side and then what we call Akeyless gateways. So you’ll have an Akeyless gateway in every private network that you have. So you might have applications that run-in particular regions in AWS, and you might have some on prem applications, maybe something in Azure or GCP.

So you’re gonna stand up a gateway in every one of those private networks that you own. And the Akiles gateway is a very lightweight stateless application that you can run as a Kubernetes application, or you can have it as a standalone Docker container as well. And then from there, the users are talking to the gateways directly, and they’re not talking externally to the SaaS. And then there’s of course, communication between the gateway and the SaaS on outbound connections, as you can see here.

But what this does, it makes it so easy to scale and you can, like I said, put a gateway in every private network that you own and not have to worry about excessive hardware or even licensing costs. So it scales very well as your applications across the different regions also scale. Next, let’s talk about secrets.

On the right hand side, I’ve got Vault. It’s running a Vault version one dot eighteen dot four community edition, and I’ll show you what is missing from the community edition in terms of the enterprise in just a little bit. And on the left hand side, I have Akeyless.

Now let’s jump into the secrets engines first on Vault. And if you go and enable new engine, you’ll see a few that are available here in the UI.

And a note on the UI, the Vault UI has always been playing catch up with the API and the CLI. So there are things that will not show up in the UI that you’d have to enable or run from the CLI or the API.

So here we’ve got the generic key value pair. We got PKI certificates, SSH, transit, which is the encryption of the service, timed one time passwords, LDAP, Kubernetes. We have a few dynamic secrets here for the clouds, Ali Cloud, AWS, Azure, and GCP, and some dynamic secrets for infrastructure like console, number of databases, Nomad, and Rabbit. Now if we jump into Akeyless real quick and go to the top here, click on items.

They’re called items inside of Akeyless. So go to items and click new. You’ll see quite a few encryption key. This allows you to create encryption as a service.

You can use these encryption keys to encrypt plain text and get back ciphertext and vice versa. There’s static secrets, which is similar to the KV store for any arbitrary secrets.

There’s rotated secrets, which is not available in Vault.

And really what these do is they allow you to automatically on a schedule basis or on demand rotate the secrets that allow Akeyless to connect to a third party system. So if you pick on AWS as a cloud, for example, you can have a rotated secret with AWS, and this allows you to rotate that secret on a schedule basis, like I said. But again, the original connection between Vault or Akeyless and the system is not rotated in terms of Vault automatically. You would have to do this manually.

But in terms of Akeyless, this is done automatically for you on a schedule. Next, we got dynamic secrets, and there’s a whole lot of them. And if we compare those in Akeyless to Vault, I think Akeyless has a bit more. And you can see a bunch of databases.

The databases are also available here if we go and look at the documentation. So if you go to the documentation for the secrets engines in vault, you’ll see under databases, there is a number of databases, Cassandra, Elasticsearch, and FlaskDB.

There’s a whole lot of them here. And then the clouds, of course, AWS, Azure, GCP, similar to this. We got Kubernetes, PKS, GKE, generic. We have also RDP, which is quite interesting. And we also have Artifactory, Chef, Docker Hub, GitHub, GitLab. These are not available in Vault.

Google Workspaces, LDAP, we saw that in vault as well. Ping is not available in vault. RabbitMQ, you can see here as well. Venafi. Alright. So from a secrets perspective, what I want you to take out of this is that basically Akeyless has pretty much everything that vault has and a little bit more. So that’s a key thing to make sure that you are comfortable if you are moving into Akeyless that you’re probably gonna have all the use cases covered, from a secrets perspective.

Now just to be fair here and jump into vault real quick, I said that the vault UI isn’t necessarily the best, and you can see some of the secrets engines that are available, especially in the enterprise version. So key management is available here, which is also available in, Akeyless under encryption and KMS.

And then we have KMIP, which is also available here under KMIP and Akeyless.

Here’s PKI certificates. We saw that in both systems.

And, the transform engine is also available if we go back and click on items new.

So the tokenizer is the transform engine pretty much in vault.

Transit, we talked about that one. Secret sync is the universal secrets connector inside of Akeyless.

And, you can see here the universal secrets connector. Like I said, everything involved is available in Akeyless and even a little bit more. Let’s now move on and talk about authentication methods. And this is really what enables a client, whether a user or a machine or application to access the secret manager, whether it’s Vault or Akeyless.

So in Vault, these are called auth methods or authentication methods under access. And if you go in here, you’ll see we can enable different kinds of auth methods.

App role is considered a machine authentication method, which is similar to a username and password and is kind of a last resort if you don’t have an auth method that is suitable.

You see JWT, OIDC, TLS certificates, usernames and passwords. Whenever you talk about auth methods, think about whether a human is authenticating or a machine. There’s some clouds as well. So if you have a VM running in AWS and EC two instance in AWS, it can authenticate directly into Vault using the AWS auth method, which is a very elegant way to solve the secret zero problem.

But, again, you have to be on a platform that provides an identity to the resources that it spins up, which is the case in terms of cloud here. There’s also Kubernetes. There’s LDAP, Okta, Radius. So a number of auth methods available in Vault.

On the Akeyless side, if we open up here and go to users and auth methods and click on new, you’ll see there’s a lot of auth methods available here as well.

We have a generic API key. We have a universal ID, which is incredible. This is my favorite when it comes to authenticating machines that live on prem, that live maybe in VMware, that VMware doesn’t give an identity to the resources it spins up. So then this is a very elegant solution, and I think it’s even, more elegant than the app role that Vault has.

There are other methods as well for users, email, LDAP, YDC, SAML. For applications, you can see certificates, Kerberos, Kubernetes, OAuth for cloud. We’ve got AWS, Azure, GCP, OCI, and so on. Now let’s talk about the authorization mechanisms in both systems.

So in Vault, these are called policies, ACL policies.

And an ACL policy is taking the form of something like this, a path.

Everything involved is path based, and then capabilities.

And you can see there are multiple paths and, and multiple capabilities for exactly what you want to do in Vault.

This tends to be one of the hardest things I’ve seen with my customers when it comes to working with Vault is understand exactly what is happening. And you need to understand the API of vault very well to identify the actual path and what capabilities you’ll need to add for that path in your policies.

If you don’t do this many times, you’re gonna of course gonna get a four zero one error that you’re not allowed to do something or a four zero three error, which is fine from a security point of view. But again, I find that a little bit more difficult than it needs to be to be able to secure the system.

On the Akeyless side, we can go over to access roles.

And in access roles, you can create any kind of access role, tie it to an off method, and set some rules for it. So if I pick on, let’s say Kubernetes role like this one, you see that it’s tied to a particular authentication method called Kubernetes. It also is path based. So this one is called my Kubernetes auth method, and this one has rules.

And the rules are basically the permissions of what we’re allowed to do. And in this case, we’re allowed to read and list on this particular path recursively for all items. I can add more permissions here for different things like access roles, off methods, targets, secure mode access, and, of course, items for secrets, and add a path, like I said, and add the permissions, which can be create, read, update, delete, list, or deny. Very similar to the capabilities that we saw in Vault.

But I find this a lot more intuitive, a lot easier to create, and a lot easier to find out where you might be missing permissions, missing capabilities.

So I find that Akeyless does a better job to create this authorization mechanisms within the system itself. Next is secure remote access, which is not available in the HashiCorp Vault as the Vault product, but it is available in HashiCorp Boundary.

And there is some integration between of course Boundary and Vault, but I like how this is a license feature in Akeyless and pretty much integrated in the Akeyless product as a whole. And as you can see here, you can expose different access to different resources. I have SSH to a couple of resources, PostgreSQL, I can directly access the database, RDP into a Windows machine, and also Azure portal.

So I can quickly SSH into one of my target machines here as this one. I’ll go in and get a CLI.

And I’m already connected here.

And of course, I can go into this postgres database as well. I can connect through the web portal.

And you kind of get the idea here.

And now I’m in a Windows machine as you can see. So again, it’s great to see secure mode access as part of the Akeyless solution well integrated into the product.

So when it comes to secrets management, HashiCorp Vault is a solid solution, but it comes with complexity, high costs, and operational overhead.

Akeyless, on the other hand, offers a streamlined, scalable alternative with easier deployment, built in secure remote access, and a pricing model that helps you cut costs without sacrificing security. If you’re looking for a more efficient and cost effective way to manage your secrets, Akeyless might be a better fit. I encourage you to check it out.