+
+ | Feature |
+ Pulumi ESC |
+ Infisical |
+
+
+ | Architecture |
+
+
+ | OSS License |
+ Yes, Apache License 2.0 |
+ Yes, MIT expat license |
+
+
+ | Document Store |
+ Yes |
+ No |
+
+
+ | Key-value Store |
+ Yes |
+ Yes |
+
+
+ | Open Ecosystem |
+ Yes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc. |
+ No, can only store and manage secrets stored in Infisical |
+
+
+ | Developer Experience |
+
+
+ | Editing and Authoring |
+ Yes, supports both GUI and powerful Document Editor with autocomplete, docs hover, and error checking |
+ Limited, has GUI editor without YAML support |
+
+
+ | CLI |
+ Yes, available as esc CLI or pulumi CLI |
+ Yes |
+
+
+ | Client SDKs |
+ Yes |
+ Yes |
+
+
+ | Declarative Provider |
+ Yes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code. |
+ No |
+
+
+ | Composability |
+ Yes, simple set up of hierarchical environments that inherit values from imported environments |
+ No, can only reference singular secrets from other environments and references have to be duplicated in multiple environments |
+
+
+ | Versioning |
+ Yes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbers |
+ Limited |
+
+
+ | Immutable History & Point in Time Recovery |
+ Yes |
+ Yes |
+
+
+ | Values Can Be of Type Secret and Plaintext |
+ Yes |
+ No, values can only be secrets |
+
+
+ | Interpolate Values from Other Values |
+ Yes, new dynamic values can be constructed through string interpolation |
+ No |
+
+
+ | Branching / Personal Configs |
+ Yes, environments can be forked for testing without rewriting entire environments and overriding specific values |
+ Limited, requires careful copying since secrets need to be downloaded in plaintext locally and then uploaded |
+
+
+ | Compare Secrets across Environments |
+ No |
+ Yes |
+
+
+ | In-built Functions |
+ Yes, support for functions like toJSON, fromJSON, fromBase64, toString allows data manipulation for any scenario |
+ No |
+
+
+ | Security and Compliance |
+
+
+ | Audit Logs |
+ Yes |
+ Yes |
+
+
+ | Encrypted Secrets Storage |
+ Yes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest |
+ Yes |
+
+
+ | Access Controls |
+ Yes |
+ Yes |
+
+
+ | Secure Dynamic Cloud Provider Credentials |
+ Yes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud. |
+ No, less secure as it requires access keys for highly privileged root accounts |
+
+
+ | OIDC Trust |
+ Yes, trust relationships are established with third-party OIDC providers |
+ No |
+
+
+ | Secure Environment Variables |
+ Yes, the esc run CLI command can be used to specify which secrets are available as environment variables |
+ No, all values are available as environment variables |
+
+ Plaintext Read Only Mode |
+ Yes, ESC offers a read mode that allows reading only plaintext values while not being able to decrypt secrets or access dynamic credentials |
+ No |
+
+
+
+{{< get-started-esc >}}
diff --git a/content/docs/esc/vs/vault.md b/content/docs/esc/vs/vault.md
new file mode 100644
index 000000000000..a75bb52316e5
--- /dev/null
+++ b/content/docs/esc/vs/vault.md
@@ -0,0 +1,174 @@
+---
+title_tag: "Pulumi ESC vs HashiCorp Vault"
+meta_desc: Learn about the major differences between Pulumi ESC and HashiCorp Vault.
+title: Pulumi ESC vs HashiCorp Vault
+h1: Pulumi ESC vs HashiCorp Vault
+meta_image: /images/docs/meta-images/docs-meta.png
+menu:
+ pulumiesc:
+ identifier: vault
+ parent: esc-vs
+ weight: 1
+aliases:
+---
+
+
+
+Choosing the right [secrets management](/what-is/what-is-secrets-management/) tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with HashiCorp Vault, and how ESC and Vault can be used together.
+
+## What is HashiCorp Vault?
+
+HashiCorp Vault is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies.
+
+## Pulumi ESC vs. Vault: Similarities {#similarities}
+
+Like Vault, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Vault, secrets can be stored and accessed through a CLI, SDK, or editor interface. Granular access controls can be implemented across all secrets.
+
+## Pulumi ESC vs. Vault: Key Differences {#differences}
+
+There are a couple of fundamental differences between Vault and Pulumi ESC. First, ESC and Vault differ in that Vault is not open source, using the Business Source License model. In contrast, ESC is fully open source and Apache 2.0 licensed. Second, Vault only stores secrets, whereas ESC stores environments, secrets, and configurations. Third, ESC provides composability of collections of secrets and configuration. Environments can be composed together from multiple other environments, enabling easy inheritance of shared configuration.
+
+## Pulumi ESC and Vault: Better Together
+
+While there are differences and similarities between Pulumi ESC and Vault, they can actually be used together for a more powerful experience to store and manage infrastructure and application secrets. ESC environments can reference secrets stored in Vault. Through ESC, secrets in Vault can be organized as collections of secrets that can be versioned, branched, and composed inside other collections. With ESC, non-secret configuration can be stored alongside secrets in Vault. ESC enhances Vault, and they work better together.
+
+Here is a summary of the key differences between Pulumi ESC and HashiCorp Vault:
+
+
+
+ | Feature |
+ Pulumi ESC |
+ Vault |
+
+
+ | Architecture |
+
+
+ | OSS License |
+ Yes, Apache License 2.0 |
+ No, Business Source License 1.1 |
+
+
+ | Hosting/management |
+ Fully-managed SaaS service provided by Pulumi Cloud |
+ Offers hosted cloud service and self-hosting, which requires significant management overhead |
+
+
+ | Key-value Store |
+ Yes |
+ Yes |
+
+
+ | Open Ecosystem |
+ Yes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc. |
+ No, can only store and manage secrets store in Vault |
+
+
+ | Developer Experience |
+
+
+ | Editing and Authoring |
+ Yes, supports both GUI and powerful Document Editor with autocomplete, docs hover, and error checking |
+ Limited, has a JSON editor |
+
+
+ | CLI |
+ Yes, available as esc CLI or pulumi CLI. Supports injecting application secrets as environment variables and modifying secrets. |
+ Limited, has a CLI but lacks the capabilities of injecting secrets as environment variables. The CLI is for modifying secrets only. |
+
+
+ | Client SDKs |
+ Yes |
+ Yes |
+
+
+
+ | Declarative Provider |
+ Yes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code. |
+ No |
+
+
+ | Composability |
+ Yes, simple set up of hierarchical environments that inherit values from imported environments |
+ No, users have to create the structure themselves |
+
+
+ | Versioning |
+ Yes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbers |
+ Limited, secrets are individually versioned |
+
+
+ | Values Can Be of Type Secret and Plaintext |
+ Yes |
+ No, values can only be secrets |
+
+
+ | Ability to See Existing Secrets |
+ Yes |
+ No |
+
+
+ | Secret Referencing |
+ Yes, environments can import secrets from another environment. Secrets updated from the referenced environment will automatically propagate to downstream environments |
+ No |
+
+
+ | Interpolate Values from Other Values |
+ Yes, new dynamic values can be constructed through string interpolation |
+ No |
+
+
+ | Branching / Personal Configs |
+ Yes, environments can be forked for testing without rewriting entire environments and overriding specific values |
+ No |
+
+
+ | Compare Secrets across Environment |
+ No |
+ No |
+
+
+ | In-built Functions |
+ Yes, support for functions like toJSON, fromJSON, fromBase64, toString allows data manipulation for any scenario |
+ No |
+
+
+ | Security and Compliance |
+
+
+ | Audit Logs |
+ Yes |
+ Yes |
+
+
+ | Encrypted Secrets Storage |
+ Yes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest. |
+ Yes, Vault uses a security barrier for all requests made to the backend. The security barrier automatically encrypts all data leaving Vault using a 256-bit Advanced Encryption Standard (AES) cipher in the Galois Counter Mode (GCM) with 96-bit nonces. |
+
+
+ | Access Controls |
+ Yes |
+ Yes |
+
+
+ | Secure Dynamic Cloud Provider Credentials |
+ Yes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud. |
+ Limited, requires the usage of root account keys. Only available for AWS. |
+
+
+ | OIDC Provider |
+ Yes, Pulumi Cloud can be used as an OIDC provider from the Pulumi SDK, CLI, UI, and pulumi-service provider. |
+ Limited, configuring Vault as an OIDC provider is only available from the CLI |
+
+
+
+{{< get-started-esc >}}
diff --git a/layouts/shortcodes/get-started-esc.html b/layouts/shortcodes/get-started-esc.html
new file mode 100644
index 000000000000..f2a9ef1a4f48
--- /dev/null
+++ b/layouts/shortcodes/get-started-esc.html
@@ -0,0 +1,33 @@
+
+ 
+ 
+ 
+