BV vs AWS Secrets Manager

This document compares BV with AWS Secrets Manager.

Similarities

Both systems provide endpoints to securely store and retrieve secrets and credentials for service-to-service operations:

• provide managed secrets storage
• expose HTTPS APIs for runtime retrieval
• encrypt all data at rest
• integrate with automated workloads
• remove secrets from source code and configs

Key differences

BV

• uses explicit hierarchical envelope encryption
• separates encrypted secrets (BVWA) from keys (BVKS)
• keys and ciphertext never stored on the same service
• per-customer cryptographic isolation using distinct key trees
• operator-controlled root key (KSK) entered at startup
• independent of any cloud provider

AWS Secrets Manager

• integrated with AWS KMS
• keys and secrets both managed inside AWS control plane
• isolation primarily enforced by IAM policies
• requires AWS account and infrastructure

Trust model

BV

• trust limited to BV services and operator-controlled root key

AWS

• trust includes AWS infrastructure and KMS control plane

When BV may be preferred

• strict key custody requirements
• multi-cloud or non-AWS environments
• strong separation between key service and data service
• per-customer crypto isolation

When AWS may be preferred

• already fully on AWS
• want tight integration with IAM and other AWS services