Can somebody tell me how Hashicorp makes money? They seem to employ people, and they have a page that sends traffic off to technology and solutions partners, but where do they make their own money?
We use Vagrant at work and I'm considering whether and how we could use more of their tooling. But I always want to know about the business model behind the tools I recommend before I recommend them.
As the founder of HashiCorp, I feel qualified to answer this.
The adjacent comment about Atlas is correct. Atlas itself is admittingly poorly marketed (something we're working on right this very moment) right now. The best way to describe how we make money is: we target the enterprise user and give them the features, integrations, and support they need in their regulated, legacy-encumbered, etc. environments. Atlas in particular is focused on giving enterprises a flexible application delivery pipeline that is opinionated in a certain way, but flexible enough to support their diverse environments (all at once: containers, VMs, physical machines. Windows, Mac, Linux. Etc.)
Due to our adoption we have the rare benefit of primarily letting open source adoption happen organically, and having large companies approach us as they get more serious about our software.
Vault, in particular, is a good example of this. Vault suffers from an issue where most impressive people who use Vault can't actually publicly say they use Vault. So we have a hard time talking about how widely adopted it is. The best I can give you is from what I said at our HashiConf keynote: "If you traded stocks, used a credit card, or did anything involving a bank, then you've interacted with Vault-secured data." As specific as I can be as to how widely spread Vault is right now.
Anyways, a digression from the original question: enterprises have interesting needs they're willing to pay for. We address those needs in enterprise products (Atlas, others that aren't public yet) and support. We don't have any SaaS-like "enter your credit card and pay us" (other than the Vagrant VMware plugin which predates all of this), and instead do deals with larger companies in a way that most of HN would likely perceive as old school in some sense. :)
Note when I say "enterprise" I'm not trying to exclude anyone. If you're a relatively small company (I didn't click your name to find out), then still feel free to email us any of your concerns and we should be able to either help you ourselves or route you in the right direction.
I think they make the bulk of their money* off of Atlas, which is a subscription service that ties together and automates a lot of their free products. They also have a paid add-on to Vagrant for VMware support.
* I would also bet they do consulting & support for companies that are using their products, and/or other automation advice. Whether that accounts for more or less revenue than Atlas, I have no idea :)
Someone correct me if I'm wrong but Vault on its own (without an agent) would be quite difficult to use in a simple web application setup, no?
For example let's say I store an API token in Vault and want to use that in my Node.js application.
That means I can't do "var api_token = MY_API_TOKEN;" because the secret needs to come from vault and get refreshed, etc...
I'd imagine you will need some agent to manage the secret lease/expiry and for that to reload your entire application to ensure you don't end up with old secrets hanging around in the memory.
This topic is not addressed anywhere in the Vault documentation, I looked everywhere I could.
We plan on augmenting the documentation with a user-friendly "guides" section. A big rework of a lot of the docs is actually very high on the near term TODO list, so I'm sorry for the current state of it.
As for how you can more easily use it, we recommend [the now weirdly named] consul-template or envconsul. The former (https://github.com/hashicorp/consul-template) will put secrets automatically into files and watch for changes, update the file, and refresh the process. If you put the files onto a non-swappable ramdisk, then it is reasonably secure (relative to most things, less secure than deeply integrating with Vault).
Envconsul, on the other hand, injects secrets as environment variables to a process. This is also reasonably secure but users have to be aware of the various ways that env vars can be read out of process (/proc for example).
These are the two easiest ways to get started that allow Vault to be used with brownfield software. If you greenfield something, integrating Vault 1st class is the way to go for the most security and is what we're seeing bigger users go for.
In the past I've thought about using the an ec2-meta-data style endpoint for secrets that would accessible by an agent with some sort of key. that way the application always dynamically requests the secret as oppose to setting it statically at launch.
It took me a while to run across envconsul and consul-template after discovering Vault also. But the simplicity of the tools together is much easier than any other configuration software option I've tried. So much more straightforward than an ops tool like puppet or chef (though those have their place).
There sure are a lot of these systems these days. While I'm always happy to see innovation in this area, I'm personally beginning to get confused as to why I might prefer to use (and probably then contribute to) one of these projects over another. After all, there's this, and Lyft's Confidant [1], and Square's Keywhiz [2], and plenty more that don't come to mind right now. They all have nice documentation about what they do, but none of them sufficiently explain to me what architectural differences they have, their pros and cons. I think it would be great to see that added to these products' pages at best, or at least some guy write a blog post about it.
Vault fits in with my existing stack very well. Though a simple tool it solves so many of the common security issues with modern architecture (secrets distribution, multi-factor auth, compatible with multiple public/private networks simultaneously, has an API and GUI...). It's clear the authors have run into the problem time and time again.
And yesterday I got it to build and run on SmartOS too, for extra security and scalability. Thanks to Hashicorp team for their work, and their commitment to open-source.
notdonspaulding|10 years ago
We use Vagrant at work and I'm considering whether and how we could use more of their tooling. But I always want to know about the business model behind the tools I recommend before I recommend them.
Anyone?
mitchellh|10 years ago
The adjacent comment about Atlas is correct. Atlas itself is admittingly poorly marketed (something we're working on right this very moment) right now. The best way to describe how we make money is: we target the enterprise user and give them the features, integrations, and support they need in their regulated, legacy-encumbered, etc. environments. Atlas in particular is focused on giving enterprises a flexible application delivery pipeline that is opinionated in a certain way, but flexible enough to support their diverse environments (all at once: containers, VMs, physical machines. Windows, Mac, Linux. Etc.)
Due to our adoption we have the rare benefit of primarily letting open source adoption happen organically, and having large companies approach us as they get more serious about our software.
Vault, in particular, is a good example of this. Vault suffers from an issue where most impressive people who use Vault can't actually publicly say they use Vault. So we have a hard time talking about how widely adopted it is. The best I can give you is from what I said at our HashiConf keynote: "If you traded stocks, used a credit card, or did anything involving a bank, then you've interacted with Vault-secured data." As specific as I can be as to how widely spread Vault is right now.
Anyways, a digression from the original question: enterprises have interesting needs they're willing to pay for. We address those needs in enterprise products (Atlas, others that aren't public yet) and support. We don't have any SaaS-like "enter your credit card and pay us" (other than the Vagrant VMware plugin which predates all of this), and instead do deals with larger companies in a way that most of HN would likely perceive as old school in some sense. :)
Note when I say "enterprise" I'm not trying to exclude anyone. If you're a relatively small company (I didn't click your name to find out), then still feel free to email us any of your concerns and we should be able to either help you ourselves or route you in the right direction.
tvmalsv|10 years ago
* I would also bet they do consulting & support for companies that are using their products, and/or other automation advice. Whether that accounts for more or less revenue than Atlas, I have no idea :)
borplk|10 years ago
For example let's say I store an API token in Vault and want to use that in my Node.js application.
That means I can't do "var api_token = MY_API_TOKEN;" because the secret needs to come from vault and get refreshed, etc...
I'd imagine you will need some agent to manage the secret lease/expiry and for that to reload your entire application to ensure you don't end up with old secrets hanging around in the memory.
This topic is not addressed anywhere in the Vault documentation, I looked everywhere I could.
mitchellh|10 years ago
As for how you can more easily use it, we recommend [the now weirdly named] consul-template or envconsul. The former (https://github.com/hashicorp/consul-template) will put secrets automatically into files and watch for changes, update the file, and refresh the process. If you put the files onto a non-swappable ramdisk, then it is reasonably secure (relative to most things, less secure than deeply integrating with Vault).
Envconsul, on the other hand, injects secrets as environment variables to a process. This is also reasonably secure but users have to be aware of the various ways that env vars can be read out of process (/proc for example).
These are the two easiest ways to get started that allow Vault to be used with brownfield software. If you greenfield something, integrating Vault 1st class is the way to go for the most security and is what we're seeing bigger users go for.
earless1|10 years ago
doublerebel|10 years ago
adrtessier|10 years ago
[1] https://lyft.github.io/confidant/ [2] https://square.github.io/keywhiz/
sciurus|10 years ago
Have you looked at https://vaultproject.io/intro/vs/index.html ?
wmf|10 years ago
doublerebel|10 years ago
And yesterday I got it to build and run on SmartOS too, for extra security and scalability. Thanks to Hashicorp team for their work, and their commitment to open-source.