Open Source Secrets Manager
A secrets manager is a single point that, if it falls, exposes every credential your infrastructure runs on - the blast radius is the whole environment, so how it encrypts at rest, scopes access, and rotates keys matters more than any convenience feature. The open source systems here put that machinery in the open: you can read the encryption and access logic, host it inside your own trust boundary, and rotate or revoke without waiting on a vendor.

Vaultwarden
Self-hosted Bitwarden-compatible server in Rust, light enough to run where the official service is too heavy

HashiCorp Vault
Secrets management, encryption as a service, and privileged access management

Infisical
Open-source secrets, certificate, and privileged access management for teams and infrastructure

SOPS
Editor for encrypted YAML, JSON, ENV, INI, and binary files with KMS, age, and PGP

Bitwarden
Open-source password manager for passwords and passkeys, with clients for web, browser, desktop, and CLI

Sealed Secrets
Kubernetes controller and kubeseal tool for one-way encrypted Secrets

gopass
GPG-encrypted, git-versioned password manager for teams - a drop-in replacement for the standard UNIX pass

External Secrets Operator
Kubernetes operator that syncs values from external secret stores into Kubernetes Secrets

OpenBao
Open source secrets manager for storing, encrypting, leasing, and revoking sensitive data
How to choose an open source secrets manager
Start with the trust boundary. A secrets manager can be a central online service, a local agent model, or a library-backed encrypted store, and each choice changes your blast radius. Central services make policy and audit easier, but every workload now depends on their availability and latency. Agent models reduce application changes but add host-level operational work. Also decide whether you need static secret storage only or dynamic credentials with leases. Dynamic secrets reduce long-lived exposure, but they require the manager to understand the target system well enough to create, revoke, and renew credentials safely.
Examine the access model before the UI. A secrets manager should map cleanly to how machines and people prove identity: workload identity, short-lived tokens, mTLS, OIDC, LDAP, or a cloud IAM bridge. The hard part is not creating folders of secrets. It is expressing who can read, write, rotate, approve, or break glass for a narrowly scoped path without handing out root-like power. Audit logs also need to be useful under review. You want evidence of access decisions and policy changes, not accidental disclosure of secret values in logs or error messages.
Plan the operating model and exit path together. Secrets are small, but the system around them is not: seal and unseal procedures, backup encryption, restore testing, client retries, certificate renewal, and disaster recovery all matter. Check how applications consume secrets through APIs, sidecars, templates, environment injection, or mounted files, because that determines migration cost. For exit, prefer clear export of metadata, paths, policies, and version history where possible. Secret values may need special handling, but you should not be trapped by undocumented storage formats or one-off client behavior.
Related categories
Frequently asked questions
What problems should a secrets manager solve first?+
Start with removing secrets from source code, shared files, chat, build logs, and long-lived environment variables. A useful secrets manager gives applications a controlled way to fetch credentials, gives operators a way to rotate them, and gives auditors a record of access. If it only stores encrypted key-value pairs without identity, policy, and rotation, it may be closer to a vault file than an operational secrets system.
Is self-hosting a secrets manager safe enough for production?+
It can be, but only if you treat it as production infrastructure rather than a side service. You need hardened hosts, TLS everywhere, strict administrative access, reliable backups, monitored availability, and rehearsed recovery procedures. The biggest risk is often operational: losing unseal material, misconfiguring policy, or running a single instance that becomes a deployment bottleneck during an incident.
How important are dynamic secrets compared with storing static values?+
Dynamic secrets are valuable when the target system supports safe creation and revocation of credentials, such as database accounts, certificates, or temporary service tokens. They reduce the damage window because credentials expire automatically. Static secrets are still common for legacy systems and third-party services. The practical question is whether your applications and operators can handle leases, renewal failures, and revocation without causing outages.
Which authentication model works best for applications?+
Prefer an authentication model that uses the workload's existing identity instead of a shared bootstrap secret. Good patterns include machine identity, mTLS client certificates, OIDC tokens, cloud workload identity, or orchestrator-provided identity. Avoid designs where every application stores a permanent token just to fetch another secret. The first credential is the weak point, so make it short-lived, tightly scoped, and easy to revoke.
What should I look for in access control and permissions?+
Look for policy that can express path-level access, read versus write separation, rotation authority, and administrative delegation without giving teams broad control over unrelated secrets. Namespaces or tenant boundaries matter if multiple teams share one service. Also check how emergency access works. A break-glass path should be auditable and time-bounded, not a standing admin token kept in a password manager.
How does secret rotation usually work?+
Rotation can mean updating a stored value, generating a new credential in the target system, or issuing short-lived credentials on demand. The safest systems coordinate creation, distribution, validation, and revocation so old credentials do not disappear before applications have reloaded. Check whether clients refresh automatically, whether failed rotations roll back cleanly, and whether the manager can rotate the specific databases, certificates, and external services you use.
What belongs in audit logs for a secrets manager?+
Audit logs should show who or what requested access, which path or credential class was involved, whether the request was allowed, and which policy decision applied. They should also record policy changes, login events, token creation, rotation actions, and administrative operations. They should not leak secret values, full tokens, or sensitive request payloads. Make sure logs can be shipped to your existing security monitoring stack.
Should a secrets manager replace environment variables?+
Not always. Environment variables are simple, but they are easy to leak through process listings, crash reports, debug pages, and build systems. A secrets manager can inject values at start time, mount files, or let applications fetch secrets at runtime. Runtime fetching supports rotation better, but it adds dependency handling. For older applications, file or environment injection may be the realistic first step.
How do backups work when the stored data is encrypted?+
Backups must include encrypted storage data and the separate material needed to decrypt or unseal it. If you back up only the database but lose recovery keys, the backup is useless. If you store recovery keys beside the backup, you have weakened the whole design. Test restores in an isolated environment, document who holds key shares, and verify that audit logs and policy data survive recovery.
What is the migration path from files and scripts?+
Inventory every secret first, including owners, consumers, rotation method, and where it currently appears. Then import values into clear paths, write policies around applications rather than people, and update one service at a time. Expect cleanup work in CI/CD variables, shell scripts, configuration templates, and old deployment logs. Migration is safest when you rotate secrets after moving them, because old copies may still exist.
Do integrations matter more than the web interface?+
For most teams, yes. Applications need stable APIs, SDKs, command-line tooling, templates, and automation hooks more than a polished admin screen. The manager must fit deployment pipelines, certificate issuance, database provisioning, monitoring, and incident response. A weak integration story usually leads to wrapper scripts and copied tokens, which defeats the point. Test the client behavior under expiration, permission denial, and service downtime.
How should teams handle outages or network partitions?+
Decide which applications can fail closed and which need cached credentials to keep running. A secrets manager outage should not automatically take down every service, but stale credentials can become a security risk. Look for client-side caching controls, lease renewal behavior, health checks, and clear error handling. Run failure tests before production use, especially for startup paths where applications cannot boot without a secret.
What happens if the project behind a secrets manager slows down?+
Your risk depends on how deeply it is embedded. Favor documented storage formats, stable APIs, standard authentication methods, and clients that can be replaced without rewriting every application. Keep an export plan for paths, policies, metadata, and secret material under controlled conditions. Also watch issue response, release cadence, governance, and security handling so you can move before the tool becomes a liability.