Re: Incubation Proposal: CredHub (credential manager)


Dan Jahner
 

Hi Wayne -

When you say that your customers would prefer to use Vault as their "at-rest" store, do you know the motivation driving that preference? I assume the concern is primarily focused on the encryption, not the data storage itself (which Vault delegates to standard data stores, e.g. Consul, MySQL, etc.).

CredHub is being developed to provide a pluggable encryption provider interface, which allows users to select the appropriate provider based on their needs. By example, most customers in high security environments would select a hardware security module to perform these cryptography operations.

An integration with Vault doesn’t make sense in this context, because interfacing with the entire Vault codebase to leverage only its encryption features would create an inferior experience to implementing these algorithms natively with well-respected Java libraries. If your customers’ concern is specifically the algorithm, you’ll be happy to know that both the internal software and HSM client providers in CredHub will support AES256-GCM, which is the same algorithm used by Vault.

Please let me know if you have any additional thoughts or concerns.

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.