- API Penetration Testing
VAULT comparison №8

OpenShift vs Keywhiz

This time we compare uncomparable - two distinct brands within DevSecOps secrets management space - RedHat OpenShift secrets and KeyWhiz from Square.

Both pieces have one thing in common - they come literally for free, because OpenShift secrets is a built-in feature of RedHat OpenShift and KeyWhiz is an Open Source software.
Which solution is better?
Deployment and setup
OpenShift is crazy easy to implement - it is just part of OpenShift cluster. But it is quite hard to use it for use cases behind management of internal OpenShift secrets.

Keywhiz is quite straight-forward to implement, but take a note further - it has limited functionality so it's hard to compare apples to apples there.
Scalability and flexibility
OpenShift secrets scales automatically with OpenShift cluster but has weak secrets-as-a-service capabilities so need a complementary solution when it comes to manage secrets on application layer.

There is no proper and well-known receipts how to implement high-availability and data recovery in Keywhiz, at the same time we store secrets in external database (for instance PostgreSQL) and can implement HA&DR in database level.
OpenShift and KeyWhiz:
Key Differences
Both solutions come literally for free, but real price is a cost of professional service or internal FTEs needed to properly install and manage them.
KeyWhiz can be an interesting option when it fits your requirements and you have an established technology stack and business model.

OpenShift excels when you have OpenShift cluster, and both solutions can complement each other managing secrets properly on cluster and application layers.

Each option solves a secrets management problem but bring a new problem - you'd have to implement and maintain it. If you consider getting help with this - check out our DevSecOps as a Service.

If you are not ready to consider the implementation of a tool - you can check out our Kubernetes Penetration Testing Service. Team