> You have no idea the environment they work in. The "skill issue" here is you thinking your basic knowledge of Vault matters.

I've deployed Vault both at home and in two different companies, doing anything from pki, mutual-tls, secret storage and other stuff.

> > Software like Vault from hashicorp (it's FIPS compliant, too: https://developer.hashicorp.com/vault/docs/enterprise/fips) let you create a cryptographically-strong CA and build the automation you need.

> They didn't tell you their needs, but you're convinced this vendor product solves it.

It was an example from the ecosystem of available tools but in general yes, Vault can do that. Mentioning FIPS compliance was about letting you know that the software can be used also in governative environments. It's not just a "homelab toy".

> Are you a non-technical CTO by chance?

Senior cloud engineer here. Worked anywhere from not-so-small companies (250 people, 100 engineers) to faangs (tens of thousands of engineers).

> > there are equivalents for mac os and gnu/linux i guess

> You guess? I'm sensing a skill issue.

You're attacking me on a personal level because you can't argue otherwise. That's a common logical fallacy ("Ad Hominem" - https://www.britannica.com/topic/ad-hominem). You basically have skill issue at debating =)

> Why would you say it's solved for their environment, "I guess??"

When you account Windows, Mac OS and Linux you're accounting for pretty much the totality of the desktop computing landscape. The last two macbooks I had for work came with the mac os equivalent of group policies with certificates installed etc etc. Enterprise-tier Linux distributions can do that as well (eg: Red Hat Enterprise Linux).

> I'm sensing you work in a low skill environment if you think "home lab trivial" translates to enterprise and defense.

Again, worked anywhere from companies with 250 people to FAANGs. You have skill issue at sensing, it seems.

To get back to the point: homelab "triviality". In a way, yes. Large enterprises and even more defense can spend all the money not just for software but even for consulting from various company that can bring the skills to implement and maintain all the services that are needed, and train your people at that. Things become non trivial not on the base of technical issue, but on the base of organizational issues...

If we talk government and defense... Do you know the US government has dedicated cloud regions (eg: https://aws.amazon.com/govcloud-us/)? Do you really think that cloud providers offer those services at loss? Do you really think a few vault enterprise licenses are the issue there?

And by the way, Vault is just an example of one of the possible solutions. It was meant to be an example but you clearly missed the point.

> > Hence, if a large organization is not able to implement that, the issue is in the organization, not in the technology.

> Absolutely meaningless statement.

I think it's very meaningful.

It's not 1995, cryptography isn't arcane anymore. We had hardware crypto acceleration in cpu since at least 2010 (AES-NI). The tooling is well established on both servers and clients. The skills are on the market ready to be hired (either via employment or via contracting).

The issue is not technical in nature.

Oh and by the way: I've worked closely with engineers working for the US government. I wasn't close to the US government (because I am not an US citizen) but they were. They were "close enough" that they had to work in a SCIF and could only interact with me via phone. The systems they were working on... Those systems had their own private CA (among other things).

It's feasible. It's not a technical issue. If it's not done then it's an organizational issue.