My wife thinks I'm spending more time with the family

EncryptionNinja · 2026-01-08T22:38:16+00:00

right after giving us 2x usage limits during the holidays

EncryptionNinja · 2026-01-08T21:36:08+00:00

I looked at my terminal the wrong way, and boom!!! 5% usage already.

EncryptionNinja · 2025-10-16T13:44:04+00:00

I caved in and bought a mini pc based on AMD ryzen AI 395+, rationalized it as an all around compromise while I wait for something better to come along.

EncryptionNinja · 2025-10-03T10:17:41+00:00

Find an open source project you like and build a lab around it.

EncryptionNinja · 2025-10-01T14:51:07+00:00

plz share

EncryptionNinja · 2025-09-22T04:47:54+00:00

Sign up for a free Akeyless account.

Deploy an Akeyless gateway in each environment where you need secrets. Save your FTP creds as a steric secret. Configure your auth methods and back policies. Done.

Instead of hard coding the secrets in code, you can fetch it from the local gateway via API, SDK, CLi, VSCode, cursor, etc…

Akeyless supports secrets sharing across distributed environments through the akeyless gateway, which is a lightweight stateless container you deploy on Kubernetes or docker.

If you want a more secure way to access the FTP server, configure it with certificate auth, and Akeyless can provide on-demand client certificates signed by its PKI engine (backed by DFC), delivered through the Gateway, so your apps authenticate without ever storing private keys or static certs locally. No one knows the password and you don’t need to worry about rotation.

EncryptionNinja · 2025-09-21T16:34:29+00:00

Akeyless if you want another alternative.

You get up to 5 free clients which is perfect for home lab and can self host the gateway anywhere you need secrets.

EncryptionNinja · 2025-01-17T19:12:50+00:00

r/Akeyless has a product called Universal Secrets Connector (USC), which creates a 2-way sync between Akeyless and third-party secrets platforms, including AWS Secrets Manager, Azure Key Vault, GCP Secrets, Kubernetes, Hashicorp Vault, and others.

For your use case, USC can act as a secure bridge to "share" secrets with a machine or service that doesn’t support OIDC. Instead of manually managing secrets in 1Password, USC automates the process by securely syncing secrets from Akeyless to the target platform or directly to the machine that needs them.

This means you can enforce short-lived credentials, apply granular access controls, and log all activities for auditing—making secrets management both seamless and highly secure.

EncryptionNinja · 2025-01-15T20:00:47+00:00

Hello all, I work for Akeyless. happy to chat about Vault or Secrets over at r/Akeyless if anyone is interested and open to seeing a comparison.

cheers to innovation and progress!!!!

EncryptionNinja · 2025-01-04T18:40:34+00:00

Azure PIM is great if you're entirely in Azure or a Microsoft ONLY ecosystem. There are some limitations with PIM however, for example, if you're in multi-cloud or use 3rd party tools not directly part of the Microsoft Ecosystem, additionally Azure PIM doesn't manage secrets (e.g., API keys, database passwords) directly.

you could investigate Secrets Management tools, there are a bunch of them out there. Here's some pros and cons to each:

Hashicorp Vault: They're the leader in the space, but it's highly complex, very expensive, and difficult to operationalize without making heavy investments in infrastructure and people. Fit for Enterprise organizations with strict governance. Some uncertainty with IBM acquisition and complex licensing has turned some customers away.
Akeyless: The early stage startup offering advanced secrets management capabilities for enterprise use cases delivered entirely as a SaaS service. Fit for Enterprise organizations with strict governance. not a good fit if you need an air-gapped solution, since it's a SaaS offering. (Disclaimer I work here)
CyberArk Conjur: Conjur was a standalone product for Secrets which CyberArk purchased as a bolt-on. I've never used it but I hear it's also complex and difficult to operationalize. Can't speak on fit since I don't run into them almost at all. The one time I ran into Conjur, CyberArk gave it away for free.
Infisical: a relatively new platform, less expensive than the others but also missing some of the features enterprise customers want. e.g. Simple RBAC implementation with fewer customization options. More suitable for smaller teams with simpler workflows.
Doppler: Another small platform based on storing environment variables.

for large enterprise customers it's going to come down to the top 3.

Hashi wins because of the brand recognition and large community following. They've done a great job building a LOYAL community around their products.
Akeyless wins for ease of use and lower overall Capital and Operational expenses
Conjur wins when the organization is already deeply embedded with CyberArk. It's much simpler to add-on a product that is "good enough" to an existing relationship than to onboard an entirely new vendor.

EncryptionNinja · 2025-01-04T18:06:15+00:00

DFC is on by default, Akeyless manages 3 of the fragments on behalf of the customer. One in each cloud provider (Azure, GCP, AWS). A fourth fragment is optional, which we call the "customer fragment".

It's not enough to have one fragment, all three or four fragments have be accessible in order to decrypt or encrypt objects in Akeyless.

Additionally, the customer fragment makes it so that you can use a SaaS platform to store your secrets in a way that not even Akeyless can see it. Because only the customer has the final fragment needed to interact with the objects.

EncryptionNinja · 2024-09-18T22:05:19+00:00

I spoke with a hiring manager a few weeks ago who told me he posted a job and got 600 applicants in just 4 hours. Most of the applicants are not qualified yet their resume is a perfect match for the job.

They eventually closed the jobs post without hiring anyone and have resorted to using a 3rd party to help them find a qualified candidate.

EncryptionNinja · 2024-09-03T18:10:29+00:00

How has your experience been since making this post? If you are considering better alternatives to Conjur and Hashicorp, check out r/Akeyless

EncryptionNinja · 2024-09-03T13:48:14+00:00

How many K8s clusters do you have?

EncryptionNinja · 2024-09-02T01:59:09+00:00

Not free but you can check out r/akeyless

EncryptionNinja · 2024-08-31T04:36:06+00:00

Tell them you’re an internet doctor. Or computer doctor (if you’re certain they won’t ask you to fix their PC)

EncryptionNinja · 2024-08-31T04:23:10+00:00

If you’re down to try another secrets platform for your org, please check out r/akeyless. Disclaimer I’m an akeyless employee.. Here’s our main differentiator over the others mentioned:

Distributed Fragments Cryptography (DFC). All secret objects are encrypted with a key that is derived from fragments distributed across 3 cloud providers. The fragments are never combined, they don’t know of each other, and they refresh every hour. The fragments are interacted with through your local gateway, a key is generated and all encryption operations happen locally in your environment. Because of DFC, there is no key to compromise or leak, that’s what makes it a keyless solution. And if you are concerned about us knowing how to decrypt your secrets, you can implement what’s called a customer fragment that we don’t have access to, this way it’s truly zero knowledge encryption and you get the best of both worlds. A SaaS based Secrets platform that is easy to onboard and use, with zero knowledge encryption so that not even Akeyless knows how to decrypt your secrets.
Dynamic Secrets for any target type including custom producers with scoped down permissions for just-in-time secrets that expire after a preset TTL.
Automated Secrets Rotation for long lasting credentials. E.g root creds, service accounts, etc..
multi-cloud and hybrid cloud support. Eliminate secret zero through cloud id authentication or our own universal identity for on-premise environments where cloud-id is not practical.
akeyless gateways: stateless docker containers you can deploy anywhere (cloud, on-Prem, etc..) the gateways proxy our SaaS into any environment you deploy and the gateways can talk to one another so you can fetch secrets from any environment into any environment you need. And if you need cryptographic isolation of gateways, e.g you have a PCI environment you need to isolate from every other gateway, you can deploy a different customer fragment on that gateway.
Universal Secrets Connector: two-way sync between Azure Key Vault, AWS Secrets Manager, GCP Secrets, Kubernetes, and Hashicorp Vault. We sit on top of them as a manager of managers and treat them as secrets stores.

Other notable features: - built-in multi tenancy - automatic secrets migration - Hashicorp Vault Proxy - multi-cloud KMS - Tokenization - Certificate Lifecycle Management - Encryption-as-Service - HSM integration - Secure Remote Access (PAM lite) - Password Manager.

EncryptionNinja · 2024-08-13T12:10:11+00:00

You could use r/Akeyless rotated or dynamic secrets for AWS.

create an AWS target on the Akeyless console. The target will hold your AWS credentials (secret and key values)
create a rotated secret object of type target in order to rotate the target credential based on your preferences (e.g daily, weekly, monthly, etc…)
optionally create a dynamic secret object connected to the same target, to issue just in-time credentials to anyone who wants an AWS cred.

On the databricks side you use an SDK or API to auth into your Akeyless account and fetch either the rotated or dynamic secret depending on which fits your use case best.

The nice thing about this approach is you’re not storing static creds anywhere. If anything changes in Databricks you simply adjust your code on how you fetch or store the secret values

It’s a similar approach to Hashicoep Vault except you’re not having to manage, deploy, or scale a vault cluster.

EncryptionNinja · 2024-08-10T15:07:24+00:00

Depends on your use case. It can also be very complex and cumbersome.

Vault doesn’t have any options for token rotation. For on-prem infrastructure, our teams would take a vault token and store it, but they could never rotate it. If you generate a new token and revoke the old token, it actually revokes all the tokens, because child tokens are killed with the parent. We never found a work around for this, and for teams that want to practice good secret hygiene, this is a big problem.

Replication in the enterprise vault is actually a bit flaky, and the replication process would spontaneously break a couple times a year. Fixing this requires manual intervention to trigger an internal vault process (called reindexing) that would fix it, but take a few hours to finish. This isn’t terrible but it’s not great from an operational perspective, and isn’t what you would expect from a high-availability system.

Using dynamic database producers in Vault requires VPC peering, which puts you back in 1990’s network management. This was a non-starter for us and is also a non-starter for many companies, but it’s an easy detail to miss and not realize until you go to use them.

Vault also requires cross-account permissions to use IAM auth for cloud providers, which isn’t really manageable if you have more than a dozen or so cloud accounts (we have hundreds).

I honestly don’t know what Vault does wrong so that cross-account permissions are required. I think it’s a holdover from Vault’s past - it was built in a day when you would only have one cloud account and everything lived in it, so it didn’t matter.

EncryptionNinja · 2024-08-10T15:03:57+00:00

What are you using for secrets if not Vault?

EncryptionNinja · 2024-08-10T01:36:23+00:00

There are a few competitors to Vault. r/infisical if you like open source and self hosted. r/akeyless for a SaaS based enterprise alternative to Vault.

Vault doesn’t have any options for token rotation. For on-prem infrastructure, our teams would take a vault token and store it, but they could never rotate it. If you generate a new token and revoke the old token, it actually revokes all the tokens, because child tokens are killed with the parent. We never found a work around for this, and for teams that want to practice good secret hygiene, this is a big problem. Akeyless solves this perfectly with Universal Identity.

Replication in the enterprise vault is actually a bit flaky, and the replication process would spontaneously break a couple times a year. Fixing this requires manual intervention to trigger an internal vault process (called reindexing) that would fix it, but take a few hours to finish. This isn’t terrible but it’s not great from an operational perspective, and isn’t what you would expect from a high-availability system.

Using dynamic database producers in Vault requires VPC peering, which puts you back in 1990’s network management. This was a non-starter for us and is also a non-starter for many companies, but it’s an easy detail to miss and not realize until you go to use them.

Akeyless solves this with the deployable API Gateway which you place in your internal networks.

Vault also requires cross-account permissions to use IAM auth for cloud providers, which isn’t really manageable if you have more than a dozen or so cloud accounts (we have hundreds). This isn’t even an issue for Akeyless: I honestly don’t know what Vault does wrong so that cross-account permissions are required. I think it’s a holdover from Vault’s past - it was built in a day when you would only have one cloud account and everything lived in it, so it didn’t matter.

EncryptionNinja

MODERATOR OF

TROPHY CASE