- 1) Password security seems minimal: there is no way to limit number of connect attempts, no way to enforce password length, age, etc.
2) Encryption seems optional: I've read no information about encryption during transport other than the SSL option (which we don't have, and aren't planning to pay for).
"While Vault allows connections by remote users, I shouldn't use this feature. Instead, I should have remote users connect to my intranet (probably via a VPN) when they want to access Vault."
But I may be basing my conclusions on misinformation. Vault may have a whole host of security features that I'm not aware of, and my source code may not be flying plaintext across the aether. If this is the case, please enlighten me.
Matt Lowe