Secrets Managers
Secrets managers are for machines. Password managers are for humans. You put credentials, API tokens, certificates, and encryption keys into a secrets manager, and your applications fetch them at runtime instead of having them hardcoded or sitting in .env files.
Why you’d want one
Secrets sprawl is the default state of any growing codebase. Credentials end up in .env.example files that got committed by mistake, in config backups on someone’s laptop, in Slack DMs, in CI variables nobody audits. A secrets manager gives you one place to put them, one place to rotate them, and an audit log when someone touches them.
If you’re subject to SOC 2, HIPAA, or PCI-DSS, structured secrets management is close to a baseline requirement anyway.
The options
Bitwarden Secrets Manager is the companion product to the Bitwarden password manager. SaaS or self-hosted, end-to-end encrypted, CLI and API, machine accounts for CI/CD. Free tier covers unlimited secrets for 2 users with 3 machine accounts; Teams is $6/user/month, Enterprise is $12. Decent pick if you already use Bitwarden and your needs are modest. Not as capable as Vault or Infisical for dynamic secrets.
HashiCorp Vault is the enterprise default. Open-source core (BSL now, which matters if you’re reshipping it to customers), commercial Enterprise, and HCP Vault as the managed version. The thing Vault does that others mostly don’t is dynamic secrets: it’ll issue a short-lived database password or cloud IAM role on request and revoke it automatically when the TTL expires. It also does PKI, encryption as a service, and auth methods for Kubernetes, AWS IAM, LDAP, OIDC, everything. Steep learning curve. If you need PKI or dynamic secrets at scale, nothing else really compares.
Infisical is the modern open-source option. MIT / Apache, actively developed, SaaS or self-hosted, genuinely good UX. Covers the usual ground: dev/staging/prod separation, versioning, dynamic secrets, native integrations with GitHub, Vercel, AWS, Docker, Kubernetes. Also does secret scanning, internal PKI, KMS, and SSH certs. I’d probably start here if you want most of Vault’s capability without the pain.
SOPS is a different shape. Not a server. A CLI tool that encrypts files in place (YAML, JSON, env, ini) while preserving their structure, so you can commit them to git. Encryption backends include AWS KMS, GCP KMS, Azure Key Vault, PGP, age, and Vault. Made for GitOps. If your secrets want to live alongside your Kubernetes manifests or Terraform, SOPS is the natural fit. It doesn’t replace a centralised manager for runtime access, dynamic secrets, or audit logs.
Comparison
| Bitwarden SM | Vault | Infisical | SOPS | |
|---|---|---|---|---|
| Deployment | SaaS or self-hosted | Self-hosted or HCP | SaaS or self-hosted | CLI tool |
| Complexity | Low | High | Medium | Low |
| Dynamic secrets | No | Yes | Yes | No |
| GitOps native | No | No | No | Yes |
| Free tier | Yes (limited) | Yes (OSS) | Yes (generous) | Yes (OSS) |
| Learning curve | Gentle | Steep | Moderate | Gentle |
Which one
Already using Bitwarden and you just need somewhere sensible to put CI secrets: Bitwarden SM. If you need dynamic secrets or PKI, it’s Vault or Infisical, and Infisical is nicer to live with unless you specifically need Vault’s enterprise features. SOPS is for the GitOps case, and it’s worth running alongside one of the others rather than instead of.
Notes from using them
Rotation is only useful if your applications actually re-fetch. Short TTLs that nobody checks are worse than no rotation at all.
Dynamic secrets are great when they work and painful when they don’t. Build a fallback path before you rely on them in prod.
The bootstrap secret (Vault root token, KMS key, age key) is the one thing you can’t afford to lose. Write it down, store it separately from everything else, back it up somewhere offline.
Don’t let the secrets manager become the single point that takes out your whole fleet. If Vault is down, nothing deploys and nothing starts. Plan for that case explicitly.