Compare
Linux Identity vs HashiCorp Vault SSH
Vault’s SSH secrets engine is the same underlying idea: an SSH CA issuing short-lived certs. Linux Identity is the full product around that primitive — enrollment, policy, audit chain, sudo capture, SOC 2 export, and someone else runs the control plane.
TL;DR
Pick Vault SSH if
You already run Vault, your platform team is happy operating it, you want a primitive you can wire into a custom workflow, and you have the engineering bandwidth to build enrollment / audit / SOC 2 export on top of it.
Pick Linux Identity if
You want short-lived SSH certs without standing up Vault, you need sudo capture and a tamper-evident audit chain on day one, and the SOC 2 attach matters more than the underlying primitive flexibility.
Feature comparison
Facts checked against HashiCorp’s public Vault SSH-engine documentation as of May 2026. If something is out of date, email saheed@linuxidentity.com.
| Feature | Linux Identity | Vault SSH |
|---|---|---|
| Core mechanism Both issue short-lived SSH certificates. We wrap enrollment, policy, audit, and SOC 2 export around it; Vault gives you the primitive to build with. | SSH certificate authority with managed lifecycle | SSH secrets engine (CA mode) — primitive |
| Time to first cert issued | 5 minutes | Days–weeks (Vault install + policy authoring + agent rollout) |
| Host enrollment | Bootstrap via signed install script + cosign verification | DIY — you write the script and roll out the CA pubkey |
| SSO integration | First-class — OIDC verification on every cert request | Yes via OIDC auth method, but you wire it yourself |
| Sudo capture / audit | First-class via PAM module | Not included — you build your own auditd/Falco pipeline |
| Audit log tamper evidence | sha256 hash chain + WORM object storage | Vault audit log (file/socket sinks); no built-in hash chain on customer telemetry |
| SOC 2 evidence export | First-class, maps audit rows to CC6.x controls | Not included — DIY from raw Vault audit logs |
| Key custody | Managed KMS (never on disk) | Vault internal storage, optionally HSM-backed — you operate it |
| Operational burden Vault is operationally non-trivial. Outages mean no new SSH certs. We carry that burden. | Hosted control plane on Team; we run it | You run Vault, including unseal, snapshots, upgrades, HA |
| Cert revocation | OpenSSH KRL pushed to hosts within 60s | Cert revocation via Vault SSH engine; KRL distribution DIY |
| Open-source tier | Yes — up to 5 hosts, self-hosted | Vault OSS is free; SSH engine included |
| Pricing model | $25/host/mo (Team, annual) with volume discounts | Vault Enterprise quote-based; OSS free but DIY operations cost time |
| Standard OpenSSH on hosts | Yes — cert presented to vanilla sshd | Yes — same primitive |
| Public threat model | Yes — /security/threat-model/ | Vault threat model is public; SSH-engine-specific assumptions are scattered across docs |
| On-prem control plane | Enterprise tier | Yes — self-hosted is the default deployment |
Already on Vault SSH?
We can read your existing Vault SSH CA private key into our managed KMS and rotate without re-trusting every host. Sudo capture and the audit chain start populating the moment the agent rolls out. You can keep Vault for everything else; this is just the SSH path.