Comparison with existing solutions

Posted August 31, 2021 by Sam ‐ 4 min read

We evaluated the solutions on criteria that matter for us as developers. You should create your own grid based on what matters most to you.

Is it open-source?
Is it easy to setup?
Does it support access control (members, environments)?
Can you do everything with the CLI?
Is injection possible through environment variables?
Does it support different codebase versions (eg: git commits)?
Can it work cross-repository?
Is it hard to misuse (good security default)?
Is there integrations for CI/CD tools like Github Actions?

Keystone vs. Hashicorp Vault

Vault is considered one of the best solution to secure secrets. It’s super configurable and can handle many scenarios but it comes at the cost of complexity.

Our opinion

Without a devops team, it’s hard to setup and maintain while giving out a good workflow to developers.

	Keystone	HashiCorp Vault
Licence	MIT ✅	MPL v2.0 ✅
Fast setup	yes ✅	no ❌
Access control	yes ✅	yes ✅
CLI-first	yes ✅	yes ✅
Environment variable injection	yes ✅	yes ✅
Codebase versions	yes ✅	no ❌
Support for cross-repository	yes ✅	yes ✅
Hard to misuse (security)	yes ✅	no ❌
Integrations	yes ✅	yes ✅

Keystone vs. Git-crypt (and the likes)

Git-crypt allows you to store your secrets and configuration within your repository. Secrets are encrypted when commiting and decrypted when checked out. It supports GPG or Symmetric mode so you can work with other developers.

There are other projects doing similar things like git-secret.

Our opinion

While we like our secrets to be synced with our codebase, we think only keys should be tracked. If we need to change a secret value, we should not have to rewrite the whole history.

Also in case of public repositories it feels weird to give access to secrets publicly, even encrypted.

	Keystone	Git-crypt
Licence	MIT ✅	GPL v3.0 ✅
Fast setup	yes ✅	no ❌
Access control	yes ✅	GPG ✅
CLI-first	yes ✅	yes ✅
Environment variable injection	yes ✅	no ❌
Codebase versions	yes ✅	keys and values ❌
Support for cross-repository	yes ✅	no ❌
Hard to misuse (security)	yes ✅	yes ✅
Integrations	yes ✅	no ❌

Keystone vs. Doppler

Doppler is one of the most advanced SaaS platform to manage secrets. They have thousand of customers which is a great sign of success.

Our opinion

Doppler got it right on many fronts. Yet we miss a CLI matching their powerful web dashboard.

Also we always favor open source work over proprietary, especially for security software.

	Keystone	Doppler
Licence	MIT ✅	Proprietary ❌
Fast setup	yes ✅	yes ✅
Access control	yes ✅	yes ✅
CLI-first	yes ✅	no ❌
Environment variable injection	yes ✅	yes ✅
Codebase versions	yes ✅	no ❌
Support for cross-repository	yes ✅	yes ✅
Hard to misuse (security)	yes ✅	yes ✅
Integrations	yes ✅	yes ✅

Keystone vs. EnvKey

EnvKey is a SaaS platform and direct competitor of Doppler. They provide a cross platform application instead of a web dashboard to avoid vulnerabilities through browser extensions (well thought 👍).

Our opinion

Secrets management is entirely done through their app which is not our taste. It’s also not open source.

For the same reasons as Doppler, it’s not a good fit for us.

	Keystone	EnvKey
Licence	MIT ✅	Proprietary ❌
Fast setup	yes ✅	yes ✅
Access control	yes ✅	yes ✅
CLI-first	yes ✅	no ❌
Environment variable injection	yes ✅	yes ✅
Codebase versions	yes ✅	no ❌
Support for cross-repository	yes ✅	yes ✅
Hard to misuse (security)	yes ✅	yes ✅
Integrations	yes ✅	yes ✅

Keystone vs. Keywhiz

Keywhiz is a system for managing and distributing secrets. It’s open-source and battle tested by Square. You can find an overview here.

Our opinion

Setup is tedious, most likely used by devops rather than developers.

We pass!

	Keystone	Keywhiz
Licence	MIT ✅	Apache 2.0 ✅
Fast setup	yes ✅	no ❌
Access control	yes ✅	yes ✅
CLI-first	yes ✅	yes ✅
Environment variable injection	yes ✅	yes ✅
Codebase versions	yes ✅	no ❌
Support for cross-repository	yes ✅	yes ✅
Hard to misuse (security)	yes ✅	no ❌
Integrations	yes ✅	no ❌