- I'm not sure what "file secrets" might refer to other than storing the contents of a file, for which Vault's CLI provides shortcuts.
- While Vault's generic k/v backend doesn't support purging expired values in order to avoid accidental data loss, there are plenty of other backends that integrate with AWS STS, Postgres, etc. to provide dynamic, short-lived credentials.
- I'm not sure how Vault doesn't support encrypted backups seeing as the data is already encrypted on disk. Take EBS snapshots or something.
Vault is a well regarded project that is designed to solve a broader set of problems than Strongbox (i.e. Vault has many different backends, more auth solutions etc.). While there are third party solutions and plans to get more convenience functionality into Vault, we decided to focus on what you would get out of the box today.
"file secrets" was intended to be that you can input a binary file directly either in the CLI or GUI without having to manually base64 encode it first. Please correct me if I'm wrong, but I think that is not currently possible with Vault? Strongbox used to require the user to base64 encode the binary file first as well.
It also has that snarky little footnote saying that a "TTL" isn't the same thing as an expiration time next to the entry claiming vault doesn't support secret expiration.
The footnote and the entry was a bit rushed and was not intended to be snarky.
To the best of my knowledge - please correct me if I'm wrong - you cannot say a secret should be valid in a time period in Vault. The TTL will tell the client that they should check back with Vault for the most up to date secret when the TTL expire. If the client credentials are still valid, and the secret has not been revoked or updated in some other fashion, the client will fetch the same value again. Hence the claim that it does not support secret value expiration.
- There are several free UIs available for Vault like https://github.com/djenriquez/vault-ui, they just aren't provided by Hashicorp
- I'm not sure what "file secrets" might refer to other than storing the contents of a file, for which Vault's CLI provides shortcuts.
- While Vault's generic k/v backend doesn't support purging expired values in order to avoid accidental data loss, there are plenty of other backends that integrate with AWS STS, Postgres, etc. to provide dynamic, short-lived credentials.
- I'm not sure how Vault doesn't support encrypted backups seeing as the data is already encrypted on disk. Take EBS snapshots or something.
- Versioning of secrets is a popular request and Hashicorp has some "vague plans" which is an improvement from "no plans." https://github.com/hashicorp/vault/issues/1364#issuecomment-...
Plus you get a full REST API, a ton of auth methods, granular access policies, etc.