**Patryk Cisek: Choosing Secrets Manager for Homelab**

As a seasoned homelab enthusiast and security-conscious user, I've always been keen to find ways to streamline the management of my self-hosted services. One of the biggest pain points was storing sensitive information such as sudo passwords and SMTP credentials in Ansible Playbooks. In this article, I'll delve into my journey of choosing a secrets manager for my homelab and explain why I ultimately selected Bitwarden's Secrets Manager over Hashicorp Vault.

**The Challenges with Ansible Vault**

For several years, I've been using Ansible Playbooks to manage the configuration of various self-hosted services. While Ansible Vault provides a secure way to store sensitive information, it had its limitations. Each playbook required at least one secret - the sudo password - and many needed additional secrets like SMTP credentials for email notifications. To avoid exposing these secrets, I stored most of them in Ansible Vault, which meant I had to enter two passwords interactively every time I ran a playbook: the sudo password and the Ansible Vault password.

This approach also made it difficult to automate the execution of playbooks via CI/CD pipelines. I didn't want to expose sensitive environment variables in my GitLab pipelines, which would have compromised security. Furthermore, tracking secrets across multiple locations became increasingly challenging over time. It was clear that a better solution was needed - one that would centralize secrets storage and provide an additional layer of security.

**Comparing Hashicorp Vault and Bitwarden's Secrets Manager**

After considering both Hashicorp Vault and Bitwarden's Secrets Manager, I weighed the pros and cons of each. While I had some experience with Hashicorp Vault as a user, I was hesitant to operate an instance myself due to concerns about a steep learning curve. On the other hand, Bitwarden's Secrets Manager offered a simple key-value store that met my needs. At the time, Bitwarden didn't offer a self-hosted Secrets Manager service, but its SaaS option provided all the features I required.

The killer feature of Bitwarden's Secrets Manager was its end-to-end encryption, which ensured that even Bitwarden itself couldn't access the stored secrets. Access tokens generated by Bitwarden were used to decrypt secrets locally, either directly via the CLI or by CI/CD pipelines. This level of security was essential for my threat model, as it meant that even if Bitwarden's back-end services were compromised, attackers would still need to obtain access tokens to gain access to secrets.

**The Advantages of End-to-End Encryption**

While Hashicorp Vault also provides key-value secret storage, its cryptography-as-a-service functionality is a significant advantage. This feature allows users to delegate encryption and decryption tasks to the Vault instance, which means that sensitive keys are never exposed outside the Vault environment. However, this design comes with implications - if an API is compromised, attackers would only be able to request encryption/decryption from the Vault, rather than being able to perform these operations themselves.

On the other hand, Bitwarden's Secrets Manager provides end-to-end encryption, which means that even Bitwarden itself can't access the stored secrets. This design choice is more aligned with my threat model, as it ensures that sensitive information remains secure even in the event of a breach.

**Conclusion**

After weighing the pros and cons of both Hashicorp Vault and Bitwarden's Secrets Manager, I chose the latter for my homelab. While Hashicorp Vault offers impressive cryptography-as-a-service functionality, its design has significant implications that don't align with my threat model. End-to-end encryption provided by Bitwarden's Secrets Manager was a crucial factor in my decision, as it ensures that sensitive information remains secure even in the event of a breach.

Using Bitwarden's Secrets Manager has been a game-changer for me, as it has simplified the management of my self-hosted services and provided an additional layer of security. By storing sensitive information in a central location with end-to-end encryption, I can rest assured that my homelab is secure and protected from potential threats.