<p dir="ltr">Vault is pretty nice, but does require infrastructure. If you're OK with that, then it's a good choice I think. Another option in that space is keywhiz. Both projects have published solid threat models so you can understand the goals and reasoning behind them.<br>
Thanks,<br>
John</p>
<br><div class="gmail_quote"><div dir="ltr">On Sun, Feb 21, 2016, 4:00 PM Jim Manico <<a href="mailto:jim.manico@owasp.org">jim.manico@owasp.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
  
    
  
  <div text="#000000" bgcolor="#FFFFFF">
    Thanks for pointing this project out, Sherif. <a href="https://www.vaultproject.io/" target="_blank"><a href="https://www.vaultproject.io/" target="_blank">https://www.vaultproject.io/</a></a>
    looks heavy duty (you need to install a binary on your server, etc)
    and in-depth way to achieve the goal of encrypting configuration
    data.<br>
    <br>
    I do not know of many software frameworks that provide this
    capability out of the box other than .NET where you can encrypt
    sections of your Web.config file using DPAPI. If you know of other
    solutions to this problem I'd love to hear about it.<br>
    <br>
    Aloha,<br>
    Jim</div><div text="#000000" bgcolor="#FFFFFF"><br>
    <br>
    <div>On 2/21/16 2:13 PM, Sherif Mansour
      wrote:<br>
    </div>
    </div><div text="#000000" bgcolor="#FFFFFF"><blockquote type="cite"><div dir="ltr">Thanks Jim,
        <div><br>
        </div>
        <div>On the related topic of storing application credentials
          (i.e. how to store the credentials/tokens an application uses
          to authenticate to datastores and other apps etc..), has
          anyone investigated <a href="https://www.vaultproject.io/" target="_blank">https://www.vaultproject.io/</a>
          ? and if so what were your thoughts on it?</div>
        <div><br>
        </div>
        <div>Kind regard</div>
        </div></blockquote></div><div text="#000000" bgcolor="#FFFFFF"><blockquote type="cite"><div dir="ltr"><div>Sherif Mansour</div>
      </div></blockquote></div><div text="#000000" bgcolor="#FFFFFF"><blockquote type="cite">
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Sun, Feb 21, 2016 at 7:18 PM, Jim
          Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> Hello folks,<br>
              <br>
              I made a significant update to the password storage
              cheatsheet (hat tip to John Steven) to mention the winner
              of the password hashing competition, <b>Argon2</b>. <br>
              <br>
              <a href="https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402" target="_blank">https://www.owasp.org/index.php?title=Password_Storage_Cheat_Sheet&diff=209303&oldid=203402</a><br>
              <br>
              This is a fairly significant change beyond the standard
              recommendations of using a salted PBKDF2, bcrypt or scrypt
              - or HMAC's at scale.  <br>
              <br>
              If you're into this sort of thing, check out <a href="https://password-hashing.net/argon2-specs.pdf" target="_blank"><a href="https://password-hashing.net/argon2-specs.pdf" target="_blank">https://password-hashing.net/argon2-specs.pdf</a></a>.
              Various crypto libraries are working on production class
              implementations now, and should be ready sometime in
              2016/17. Worth putting on your radar.<br>
              <br>
              Aloha,<br>
              Jim Manico<br>
            </div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote></div>

_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" rel="noreferrer" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
</blockquote></div>