SSubrupt
Skip to content

Best Secrets Managements of 2026

Updated · 7 picks · live pricing · affiliate disclosure

Enterprise OSS leader with HSM integration, DR replication, and the longest enterprise track record.

BEST OVERALL10.0/10

HashiCorp Vault

Enterprise OSS leader with HSM integration, DR replication, and the longest enterprise track record.

OSS BSL free; HCP free trial credits
Try HashiCorp VaultSee full review

How it stacks up

  • OSS BSL free

    vs Doppler dev-experience

  • HCP $0.03/client/hr

    vs Infisical OSS MIT

  • Enterprise $50K+

    vs Akeyless SaaS dynamic

#2
Akeyless9.5/10

Free

View
#3
AWS Secrets Manager9.2/10

From $0.40/mo

View

All picks at a glance

#PickBest forStartingFreeScore
1HashiCorp VaultBest enterprise secrets management with HSM and DR replicationFree10.0/10
2AkeylessBest SaaS dynamic secrets with Distributed Fragment CryptographyFree9.5/10
3AWS Secrets ManagerBest AWS-native secrets management with per-secret pricing$0.40/mo9.2/10
4InfisicalBest open-source MIT-licensed secrets management with self-hosted Pro$8.00/mo6.8/10
5EnvKeyBest simple OSS secrets management with single-binary install$8.00/mo6.0/10
6DopplerBest developer-experience secrets management with CLI-first workflow$23.00/mo5.3/10
71Password Secrets AutomationBest password-manager-bundled secrets management for 1Password Business teams$7.99/mo4.4/10

Quick pick by use case

If you only have thirty seconds, find your situation below and skip to that pick.

If You run self-hosted infrastructure for SOC 2, FedRAMP, or HIPAA workloadsHashiCorp VaultVault ships HSM integration plus DR replication plus performance standby nodes; OSS BSL free; Enterprise typically $50K+/yr.If You are an SMB or growth-stage team under 50 engineers wanting modern SaaSDopplerDoppler ships CLI-first workflow plus GitHub-native UI; Developer free for individuals; Team $23/user/mo monthly with audit log.If You are an OSS-purist team wanting MIT licensing and self-hostable ProInfisicalInfisical ships MIT-licensed core forever plus self-hosted Pro features on Enterprise; Pro at $8/user with dynamic secrets.If You run AWS-only with high engineer count and moderate secret countAWS Secrets ManagerAWS Secrets Manager bills $0.40/secret/mo with auto-rotation included; deep AWS integration with IAM, RDS, Lambda, EKS.If You already pay for 1Password Business and want bundled developer secrets1Password Secrets Automation1Password Secrets Automation is bundled with 1Password Business at $7.99/user with Connect server; same console as end-user vault.If You are a solo operator or small platform team wanting OSS simplicityEnvKeyEnvKey ships single-binary install with end-to-end encryption; OSS MIT free; Cloud Pro $8/user with unlimited environments.

Compare all 7 picks

Free tierTop spec
#1HashiCorp Vault10.0/10FreeOSS BSL free
#2Akeyless9.5/10FreeFree 50 conns
#3AWS Secrets Manager9.2/10$0.40/mo$4.80/yrSave $91.20/yrFree trial 30 days
#4Infisical6.8/10$8.00/mo$96.00/yrOSS MIT free
#5EnvKey6.0/10$8.00/mo$96.00/yrOSS MIT free
#6Doppler5.3/10$23.00/mo$216.00/yr$180/yr moreDeveloper free
#71Password Secrets Automation4.4/10$7.99/mo$95.88/yrSave $0.12/yrBusiness $7.99/user
#1

HashiCorp Vault

10.0/10

Best enterprise secrets management with HSM and DR replication

Try HashiCorp VaultSee HashiCorp Vault alternatives

Enterprise OSS leader with HSM integration, DR replication, and the longest enterprise track record.

PlanMonthlyWhat you get
Vault OSS (Community)FreeBSL-licensed self-hosted Vault free with feature limits.
HCP Vault (Cloud)FreePer-hour managed Vault on AWS or Azure.
Vault EnterpriseCustomHSM integration, DR replication, and Performance Standby Nodes.

HashiCorp Vault is the default enterprise secrets manager for platform-security teams in 2026. Founded in 2012 in San Francisco and acquired by IBM in 2024, Vault built around a self-hostable platform that runs on customer infrastructure with HSM integration, performance standby nodes, and disaster-recovery replication.

Three tiers serve three buyers. Vault OSS Community ships BSL licensed free with feature limits and core secrets plus dynamic secrets. HCP Vault Cloud ships managed Vault on AWS or Azure at $0.03 per client per hour starter. Vault Enterprise ships custom contract typically $50K+/yr with HSM, DR replication, and performance standby nodes.

The load-bearing wedge is the enterprise compliance posture. Where Doppler is SaaS-only and AWS Secrets Manager runs only inside AWS, Vault runs on customer-owned infrastructure with the longest enterprise track record; institutional buyers procuring for SOC 2, FedRAMP, or HIPAA workloads have already cleared Vault internally. The catch is the BSL license change in late 2023 and the IBM acquisition; OSS-purist teams who want MPL or Apache 2.0 licensing should evaluate Infisical or OpenBao. For teams already on Terraform or Consul, Vault is the no-brainer entry; for teams without that ecosystem, alternatives cost less.

Pros

  • BSL OSS plus HCP managed plus Enterprise across one platform
  • HSM integration plus DR replication on Enterprise
  • Performance standby nodes for high-availability deployments
  • Longest enterprise track record in category since 2012
  • Deep Terraform plus Consul plus Nomad ecosystem integration

Cons

  • BSL license change in 2023 plus IBM acquisition in 2024
  • Self-hosted operations require dedicated platform team
OSS BSL freeHCP $0.03/client/hrEnterprise $50K+OSS BSL free; HCP free trial credits

Best for: Platform-security teams running self-hosted infrastructure for SOC 2, FedRAMP, or HIPAA workloads. OSS BSL free; HCP $0.03/client/hr; Enterprise $50K+/yr.

Self-host posture
10
Rotation latency
8
CLI ergonomics
6
Value
7
Support
9
Try HashiCorp Vault
#2

Akeyless

9.5/10

Best SaaS dynamic secrets with Distributed Fragment Cryptography

Try AkeylessSee Akeyless alternatives

SaaS dynamic secrets platform with Distributed Fragment Cryptography and zero-knowledge architecture.

PlanMonthlyWhat you get
FreeFreeFree up to 50 client connections with static and dynamic secrets.
StandardFreeHigher client connections with audit log and RBAC.
EnterpriseCustomSAML SSO, SCIM, and Distributed Fragment Cryptography.

Akeyless is the SaaS dynamic secrets pick for teams who want managed dynamic secrets without standing up Vault clusters. Founded in 2018 in Tel Aviv, Akeyless built around a Distributed Fragment Cryptography model where the customer's encryption keys are split across multiple fragments so no single party can decrypt secrets without explicit cooperation.

Three tiers serve three buyers. Free ships up to 50 client connections with static plus dynamic secrets, cloud or self-hosted. Standard ships custom pricing with higher client connections, audit log, and RBAC. Enterprise ships custom pricing with SAML SSO, SCIM, Distributed Fragment Cryptography, and dedicated support.

The load-bearing wedge is the zero-knowledge SaaS posture. Where Vault HCP runs as a single-tenant managed Vault and Doppler is multi-tenant SaaS that can technically read secrets on its servers, Akeyless splits encryption keys across fragments so the vendor cannot decrypt customer secrets even with full database access; for compliance teams who want SaaS economics with self-hosted-equivalent crypto, Akeyless is the proven path. The catch is the shorter brand-recognition history versus Vault and the custom-pricing-everywhere model that hides comparison against published per-user rates. For compliance-heavy SaaS teams, Akeyless is worth the conversation; for cost-comparison teams, published-pricing alternatives win.

Pros

  • Distributed Fragment Cryptography for zero-knowledge posture
  • Cloud or self-hosted deployment on Free tier
  • Free up to 50 client connections for evaluation
  • SAML SSO plus SCIM on Enterprise tier
  • Static plus dynamic secrets across all tiers

Cons

  • Custom pricing on Standard plus Enterprise lacks transparency
  • Shorter brand-recognition history than Vault since 2012
Free 50 connsStandard customEnterprise customFree up to 50 connections; cancel-anytime

Best for: Compliance-heavy SaaS teams wanting zero-knowledge crypto without self-hosting. Free 50 connections; Standard custom; Enterprise custom contract.

Self-host posture
10
Rotation latency
8
CLI ergonomics
7
Value
8
Support
8
Try Akeyless
#3

AWS Secrets Manager

9.2/10Save $91.20/yr

Best AWS-native secrets management with per-secret pricing

Try AWS Secrets ManagerSee AWS Secrets Manager alternatives

AWS-native secrets manager with deep AWS integration and per-secret pricing.

PlanMonthlyAnnualWhat you get
Free trialFreeThirty days free per secret with full feature access.
Pay-as-you-go$0.40/mo$4.80/yrPer-secret monthly with auto-rotation included.
Enterprise (via AWS Enterprise Support)CustomCustomVolume discounts via EDP plus premium AWS support.

AWS Secrets Manager is the AWS-native pick for teams whose infrastructure already runs on AWS and who want secrets storage in the same console as IAM, RDS, and Lambda. Launched in 2018 as a managed service, Secrets Manager bills per-secret rather than per-user, which inverts unit economics for teams with high engineer counts and low secret counts.

Three tiers serve three buyers. Free trial ships 30 days free per secret. Pay-as-you-go ships $0.40 per secret per month plus $0.05 per 10K API calls with auto-rotation included. Enterprise via AWS Enterprise Support ships volume discounts through the AWS EDP with premium support tiers and custom rotation Lambdas.

The load-bearing wedge is the per-secret pricing plus AWS console integration. Where Doppler bills $23/user and Vault Enterprise asks for a contract, Secrets Manager bills $0.40 per secret regardless of how many engineers can read it; for a 100-engineer team with 50 application secrets, the math is $20/mo total versus Doppler's $1,150/mo and Vault Enterprise's $50K/yr. The catch is the AWS-only scope; teams running multi-cloud cannot consolidate secrets without exposing the AWS console as the single dependency. For AWS-only teams, Secrets Manager is the no-brainer entry; for multi-cloud teams, Vault HCP covers better.

Pros

  • Per-secret pricing inverts unit economics for high-engineer teams
  • Auto-rotation included on Pay-as-you-go tier
  • Deep AWS integration with IAM, RDS, Lambda, and EKS
  • Volume discounts via AWS Enterprise Discount Program
  • No additional vendor relationship for AWS-already teams

Cons

  • AWS-only scope limits multi-cloud or hybrid deployments
  • No SCIM provisioning on Pay-as-you-go tier
Free trial 30 days$0.40/secret/moEnterprise via EDP30-day free trial per secret; per-secret billing

Best for: AWS-only teams with high engineer counts and moderate secret counts. Free trial 30 days; Pay-as-you-go $0.40/secret/mo; Enterprise via AWS EDP.

Self-host posture
9
Rotation latency
9
CLI ergonomics
8
Value
10
Support
9
Try AWS Secrets Manager
#4

Infisical

6.8/10

Best open-source MIT-licensed secrets management with self-hosted Pro

Try InfisicalSee Infisical alternatives

Open-source MIT alternative with permissive licensing and self-hostable Pro features.

PlanMonthlyAnnualWhat you get
OSS (free)FreeMIT-licensed self-hosted with unlimited secrets and projects.
Cloud FreeFreeHosted Infisical free up to 5 users and 1 project.
Pro$8.00/mo$96.00/yrPer-user Pro with dynamic secrets and audit log.
EnterpriseCustomCustomSSO, SCIM, advanced RBAC, and self-hosted paid features.

Infisical is the OSS-MIT pick for teams who want a permissive license and the option to self-host paid features. Founded in 2022 as a Y Combinator W23 graduate, Infisical built around an MIT-licensed core that runs on customer Kubernetes with a Cloud Pro tenant and a self-hosted Enterprise tier that unlocks the same paid features on customer infrastructure.

Four tiers serve four buyers. OSS ships MIT-licensed free, self-hosted with unlimited secrets. Cloud Free ships hosted up to 5 users and 1 project. Pro ships $8/user/mo with unlimited projects, dynamic secrets, and audit log. Enterprise ships custom pricing with SSO, SCIM, RBAC, and self-hosted Pro features.

The load-bearing wedge is the licensing posture plus self-host paid tier. Where Vault OSS shifted from MPL to BSL in late 2023 and Doppler is SaaS-only, Infisical ships MIT-licensed core forever and unlocks paid features for teams who self-host on Kubernetes; OSS-purist teams who avoided Vault after the BSL change have Infisical as the open-source-friendly alternative. The catch is the shorter track record; Infisical is YC W23 versus Vault's 2012 founding. For OSS-purist teams who want self-hosted paid features, Infisical is the proven entry; for teams who need 12-year enterprise references, Vault still wins procurement.

Pros

  • MIT-licensed core forever with no BSL or commercial restrictions
  • Self-hosted Pro features available on Enterprise tier
  • Dynamic secrets plus audit log on Pro at $8/user
  • Kubernetes operator plus GitOps native integrations
  • YC W23 backing with active OSS community

Cons

  • Shorter enterprise track record than Vault since 2012
  • Smaller HSM integration ecosystem than Vault Enterprise
OSS MIT freePro $8/user/moEnterprise customOSS MIT free forever; cancel-anytime monthly

Best for: OSS-purist teams who want MIT licensing and self-hostable Pro features. OSS free; Cloud Free 5 users; Pro $8/user/mo; Enterprise custom.

Self-host posture
10
Rotation latency
8
CLI ergonomics
8
Value
10
Support
8
Try Infisical
#5

EnvKey

6.0/10

Best simple OSS secrets management with single-binary install

Try EnvKeySee EnvKey alternatives

Simple OSS secrets manager with single-binary install and end-to-end encryption.

PlanMonthlyAnnualWhat you get
Community (OSS)FreeMIT-licensed self-hosted with end-to-end encryption.
Cloud FreeFreeHosted free for 3 users and 5 environments.
Cloud Pro$8.00/mo$96.00/yrPer-user Pro with unlimited environments and audit log.
Cloud EnterpriseCustomCustomSSO, SCIM, advanced RBAC, and self-hosted option.

EnvKey is the simple-OSS pick for teams who want secrets management without standing up Kubernetes or signing a contract. Founded in 2017 in San Francisco, EnvKey built around a single-binary install model where the entire self-hosted server runs as one Go binary, which makes the operational footprint smaller than Vault's HA cluster requirements.

Four tiers serve four buyers. Community OSS ships MIT licensed self-hosted free with end-to-end encryption. Cloud Free ships 3 users plus 5 environments hosted. Cloud Pro ships $8/user/mo with unlimited environments and audit log. Cloud Enterprise ships custom pricing with SSO, SCIM, RBAC, and self-hosted option.

The load-bearing wedge is single-binary operational simplicity. Where Vault asks for an HA Consul cluster underneath and Infisical Pro runs on Kubernetes, EnvKey ships as one Go binary that runs on a $5 VPS with end-to-end encryption maintained client-side; for solo-operator teams or small platform groups, the operational lift is hours rather than weeks. The catch is the smaller feature surface; EnvKey does not generate dynamic secrets the way Vault, Doppler, AWS, Infisical, or Akeyless do, and the integration ecosystem is narrower. For solo operators wanting OSS simplicity, EnvKey is the proven entry; for dynamic secrets, others cover better.

Pros

  • MIT-licensed single-binary self-hosted install
  • End-to-end encryption maintained client-side
  • Cloud Pro at $8/user with unlimited environments
  • Self-hosted option on Cloud Enterprise tier
  • Lowest operational lift in lineup for self-hosted

Cons

  • No dynamic secrets generation versus Vault or Doppler
  • Narrower integration ecosystem than Vault or Infisical
OSS MIT freeCloud Pro $8/userEnterprise customOSS MIT free forever; cancel-anytime monthly

Best for: Solo operators and small platform teams wanting OSS simplicity. Community OSS free; Cloud Free 3 users; Cloud Pro $8/user/mo; Cloud Enterprise custom.

Self-host posture
10
Rotation latency
7
CLI ergonomics
9
Value
9
Support
7
Try EnvKey
#6

Doppler

5.3/10$180/yr more

Best developer-experience secrets management with CLI-first workflow

Try DopplerSee Doppler alternatives

Developer-experience cloud with CLI-first workflow and the smoothest GitHub-native onboarding.

PlanMonthlyAnnualWhat you get
DeveloperFreeFree for individuals with unlimited secrets and projects.
Team$23.00/mo$216.00/yrPer-user platform with audit log and unlimited environments.
EnterpriseCustomCustomSAML SSO, SCIM, custom RBAC, and audit retention.

Doppler is the dev-experience pick for SMB and growth-stage teams who want a modern SaaS secrets manager. Founded in 2018 in San Francisco, Doppler built around a CLI that wraps any command with injected secrets and a web dashboard that mirrors GitHub conventions for branches, PRs, and access control.

Three tiers serve three buyers. Developer ships free for individuals with unlimited secrets and projects. Team ships $23/user/mo monthly ($18 annual) with unlimited environments, audit log, and activity feed. Enterprise ships custom pricing with SAML SSO, SCIM, custom RBAC, and audit retention.

The load-bearing wedge is onboarding speed and developer ergonomics. Where Vault asks the team to learn a policy DSL and stand up a cluster before a single secret is stored, Doppler ships a working CLI in five minutes; engineers run `doppler run -- npm start` and the dev environment has all the right secrets injected without a config file in source control. The catch is the per-user fee compounding at scale; a 50-engineer team on Team annual pays roughly $11K/yr and a 200-engineer team approaches Vault Enterprise territory. For teams under 50 engineers, Doppler is the proven path; for enterprise teams, Vault covers audit better.

Pros

  • CLI wraps any command with injected secrets in seconds
  • GitHub-native UI for branches, PRs, and access control
  • SAML SSO plus SCIM plus custom RBAC on Enterprise
  • Audit log plus activity feed on Team tier
  • Smoothest onboarding in lineup for non-platform teams

Cons

  • Per-user fee compounds at scale beyond 50 engineers
  • SaaS-only with no self-host option for compliance
Developer freeTeam $23/user/moEnterprise customDeveloper free for individuals; cancel-anytime monthly

Best for: SMB and growth-stage teams under 50 engineers wanting modern SaaS secrets. Developer free; Team $23/user/mo monthly ($18 annual); Enterprise custom.

Self-host posture
7
Rotation latency
9
CLI ergonomics
10
Value
8
Support
8
Try Doppler
#7

1Password Secrets Automation

4.4/10Save $0.12/yr

Best password-manager-bundled secrets management for 1Password Business teams

Try 1Password Secrets AutomationSee 1Password Secrets Automation alternatives

Password-manager-bundled Secrets Automation included with 1Password Business.

PlanMonthlyAnnualWhat you get
Business (Add-on)$7.99/mo$95.88/yrBundled with 1Password Business and Connect server tokens.
EnterpriseCustomCustomSCIM provisioning, audit retention, and dedicated account team.

1Password Secrets Automation is the password-manager-bundled pick for teams already running 1Password Business for end-user passwords and looking for developer secrets in the same console. AgileBits founded 1Password in 2005 in Toronto, and Secrets Automation launched as the developer extension that adds Connect server tokens and CLI access alongside the consumer password manager.

Two tiers serve two buyers. Business Add-on ships built into 1Password Business at $7.99 per user per month with Connect server and tokens. Enterprise ships custom pricing with SCIM provisioning, audit retention, premium support plus SLA, and dedicated account team.

The load-bearing wedge is bundling with the existing 1Password Business subscription. Where Vault asks for a separate enterprise contract and Doppler adds a $23/user line item, 1Password Secrets is included at no extra cost for teams already paying for 1Password Business; the dev secrets workflow becomes a free benefit of an already-signed contract. The catch is feature depth; Vault and Doppler ship dynamic secrets generation that 1Password does not match, and the audit trail is shallower than enterprise Vault. For 1Password Business customers needing basic developer secrets, Secrets Automation is the no-brainer; without 1Password Business, dedicated platforms cover better.

Pros

  • Bundled with 1Password Business at no extra cost
  • Connect server plus tokens for application integrations
  • SCIM provisioning plus audit retention on Enterprise
  • Same console as end-user password manager for IT
  • Lowest friction for 1Password-already teams

Cons

  • No dynamic secrets generation versus Vault or Doppler
  • Shallower audit trail than enterprise Vault
Business $7.99/userConnect server includedEnterprise customBundled with 1Password Business; cancel-anytime

Best for: 1Password Business customers wanting basic developer secrets workflow. Business Add-on $7.99/user/mo; Enterprise custom contract pricing.

Self-host posture
9
Rotation latency
7
CLI ergonomics
9
Value
9
Support
8
Try 1Password Secrets Automation

How we picked

Each pick gets a transparent composite score from price, features, free-tier availability, and editor fit. Pricing flows from our live database, so when a vendor changes prices the score updates here too.

We weight price 40 percent, features 30, free tier 15, and fit 15. Editorial pinning places Vault #1 over composite-leading AWS Secrets Manager on brand recognition. Vault paid tiers have non-standard pricing (HCP per-hour, Enterprise custom); typical-tier matches the OSS BSL tier. AWS Secrets Manager is per-secret, not per-user.

We don't claim "30,000 hours of testing." Our methodology is the formula above plus the editor's published verdict for each pick. Verifiable, auditable, and updated when the underlying data changes.

Why trust Subrupt

We're a subscription tracker first, a buying guide second. Every claim on this page is something you can check.

By use case

Best enterprise secrets management with HSM

HashiCorp Vault

Read the full review →

Try HashiCorp Vault

Best developer-experience secrets management

Doppler

Read the full review →

Try Doppler

Best open-source MIT-licensed secrets management

Infisical

Read the full review →

Try Infisical

Best AWS-native secrets management

AWS Secrets Manager

Read the full review →

Try AWS Secrets Manager

Best password-manager-bundled secrets management

1Password Secrets Automation

Read the full review →

Try 1Password Secrets Automation

Didn't make the list

HashiCorp Vault

Already in picks (first) but worth flagging the OSS BSL tier. Even with the 2023 license change, BSL Vault remains free for non-competing commercial use across most production deployments.

Infisical

Already in picks (third) but worth flagging the MIT license. OSS-purist teams who left Vault after the BSL change have Infisical as the actively-maintained MIT alternative with self-hosted Pro.

AWS Secrets Manager

Already in picks (fourth) but worth flagging per-secret pricing. AWS-only teams with 50 engineers and under 1000 secrets pay $400/mo versus Doppler Team at $1,150/mo or Vault Enterprise.

Akeyless

Already in picks (sixth) but worth flagging Distributed Fragment Cryptography. Compliance teams who want SaaS economics with self-hosted-equivalent zero-knowledge crypto have Akeyless.

How to choose your Secrets Management

Seven product shapes compete for one head term

The 'best secrets management' search covers seven distinct shapes. Enterprise OSS leader (HashiCorp Vault) targets platform-security teams running self-hosted infrastructure for SOC 2, FedRAMP, or HIPAA workloads. Developer-experience cloud (Doppler) targets SMB and growth-stage teams under 50 engineers wanting a modern SaaS tool. Open-source MIT (Infisical) targets OSS-purist teams who want permissive licensing and self-hostable Pro features. AWS-native (AWS Secrets Manager) targets AWS-only teams with high engineer counts and moderate secret counts. Password-manager-bundled (1Password Secrets) targets 1Password Business customers wanting basic developer secrets workflow. SaaS dynamic (Akeyless) targets compliance-heavy SaaS teams. Simple OSS (EnvKey) targets solo operators and small platform teams. The honest framework: identify your compliance posture, infrastructure scope, and engineer count before subscribing.

Per-user-monthly vs per-secret-monthly: pick by team shape

The per-user-monthly versus per-secret-monthly decision drives unit economics. Per-user models (Doppler $23, Infisical $8, EnvKey $8, 1Password $7.99) charge a fixed rate per developer regardless of secret count. Per-secret models (AWS Secrets Manager $0.40) charge per stored secret regardless of how many engineers can read it. Enterprise contract models (Vault Enterprise, Akeyless) charge a flat institutional rate. The honest framework: per-user wins for teams with high secret count and moderate engineer count where the per-secret math compounds. Per-secret wins for teams with high engineer count and moderate secret count where the per-user math compounds. A 100-engineer team with 50 secrets pays AWS $20/mo total versus Doppler $2,300/mo. A 10-engineer team with 5,000 secrets pays AWS $2,000/mo versus Doppler $230/mo. Recompute breakeven for your team's actual ratio before committing.

Self-hosted vs SaaS-only: pick by compliance posture

The self-hosted versus SaaS-only decision drives compliance posture more than price. Self-hostable platforms (Vault OSS, Infisical OSS, EnvKey OSS, Akeyless self-hosted) keep secrets on infrastructure the team audits and controls. SaaS-only platforms (Doppler, AWS Secrets Manager outside AWS, 1Password Secrets) trade the audit burden for vendor responsibility. The honest framework: self-hosted wins for teams with FedRAMP, HIPAA, or air-gapped requirements where the auditor needs evidence the secrets do not leave customer infrastructure. SaaS wins for teams without those constraints where the operational lift of running a Vault cluster is more cost than the SaaS fee saves. A growth-stage SaaS team without FedRAMP requirements should default to Doppler or AWS Secrets Manager and migrate to self-hosted Vault only if compliance forces the move.

Vault BSL license change and OSS-purist alternatives

HashiCorp moved Vault from MPL to the Business Source License in late 2023, which restricts commercial use against HashiCorp commercial products and reverts to MPL after four years. The IBM acquisition in 2024 raised additional governance questions for OSS-purist teams. The honest framework: BSL is fine for most teams since the practical restrictions only affect competing commercial Vault offerings. For teams that need MPL or Apache 2.0 licensing for legal reasons, Infisical (MIT) and OpenBao (the Linux Foundation fork of Vault, MPL) are the OSS-purist alternatives. For teams that want managed Vault without HashiCorp commercial alignment, OpenBao plus Akeyless or Infisical Cloud Pro provide alternative paths. Most teams should not refactor away from Vault on license grounds; the BSL has not affected production usage at the vast majority of teams shipping today.

Dynamic secrets vs static secrets: pick by application architecture

Dynamic secrets generate short-lived credentials on demand and expire automatically; static secrets are long-lived strings stored and rotated manually or on a schedule. Vault, Doppler, AWS Secrets Manager, Infisical Pro, and Akeyless all support dynamic secrets generation; 1Password Secrets and EnvKey ship static-only. The honest framework: dynamic secrets win for application credentials (database passwords, API tokens, SSH keys) where short-lived credentials reduce the blast radius of leaks. Static secrets are fine for configuration secrets (third-party API keys, webhook secrets) that the application reads at startup and uses for the lifetime of the deployment. Most production applications mix both; the database connection uses Vault-generated dynamic credentials while the Stripe API key sits as a rotated static secret. Pick a platform that handles both your secret types.

When Vault wins versus AWS Secrets Manager at scale

HashiCorp Vault versus AWS Secrets Manager is the load-bearing decision for AWS-running teams choosing a secrets platform. Vault wins when (1) the team runs multi-cloud or hybrid infrastructure where AWS-only Secrets Manager cannot consolidate secrets, (2) FedRAMP, HIPAA, or air-gapped compliance requires self-hosted with HSM integration, (3) dynamic secrets generation across non-AWS databases and SaaS APIs is load-bearing for the application architecture. AWS Secrets Manager wins when (1) the entire infrastructure runs on AWS where the IAM and console integration eliminates a vendor relationship, (2) per-secret billing aligns with the team's secret-to-engineer ratio, (3) auto-rotation for RDS and Redshift covers most rotation use cases natively. The honest framework: AWS-only teams default to Secrets Manager unless compliance forces Vault; multi-cloud teams default to Vault unless team size keeps Doppler cheaper.

Frequently asked questions

Are these prices guaranteed not to change?

Vendor pricing changes regularly. Rates here are what each vendor advertises as of May 2026. Doppler Team $23/user monthly stable. Infisical Pro $8/user stable. EnvKey Cloud Pro $8/user stable. 1Password Business $7.99/user bundled stable. AWS Secrets Manager $0.40/secret/mo stable. Vault HCP $0.03/client/hr starter stable; Vault Enterprise custom contract typically $50K+/yr. Akeyless custom pricing on Standard and Enterprise. Verify with vendor before institutional contracts.

Does Subrupt earn a commission from any of these picks?

We track which picks have approved affiliate programs in our database, and the FTC disclosure block at the top of every guide names which ones currently have a click-tracking partnership. Affiliate revenue does not change ranking. The composite math runs against the same weights for every pick regardless of partnership.

Why is Vault ranked first instead of composite-leading AWS Secrets Manager?

Vault leads brand recognition for enterprise secrets management with the longest track record since 2012, and is uniquely-true on the enterprise-leader flag. AWS Secrets Manager wins composite math at $0.40/secret per month but covers only AWS-native deployments. The picks-array order leads with the platform-security brand for the head-term search. AWS Secrets Manager is in picks (fourth) for the AWS-only reader.

Does the Vault BSL license change matter for my team?

For most teams, no. The BSL restricts commercial use against competing Vault products and reverts to MPL after four years. Production Vault usage at applications that are not selling Vault-as-a-service is not affected. OSS-purist teams who need MPL or Apache 2.0 licensing have Infisical (MIT) and OpenBao (Linux Foundation fork, MPL) as alternatives. The IBM acquisition in 2024 has not yet changed Vault commercial pricing or licensing in observable ways.

Should I pick per-user (Doppler) or per-secret (AWS Secrets Manager)?

Recompute the math for your team. Per-user wins for high-secret-count, moderate-engineer-count teams where the per-secret math compounds. Per-secret wins for high-engineer-count, moderate-secret-count teams where the per-user math compounds. A 100-engineer team with 50 secrets pays AWS $20/mo versus Doppler $2,300/mo. A 10-engineer team with 5,000 secrets pays AWS $2,000/mo versus Doppler $230/mo. Track your actual secret count and engineer count for 30 days before committing.

When does self-hosted Vault beat SaaS-only Doppler at scale?

When compliance posture is load-bearing or team size exceeds 100 engineers. Self-hosted Vault wins for FedRAMP, HIPAA, or air-gapped workloads where the auditor needs evidence secrets do not leave customer infrastructure. Self-hosted also wins on cost above 100 engineers where Doppler Team adds up to $2K+/mo recurring versus a Vault cluster on customer infrastructure. SaaS Doppler wins below 50 engineers where the operational lift of running Vault HA exceeds the SaaS fee saved.

Should I run multiple secrets managers for different use cases?

Yes, and many teams do. Common pattern: 1Password Business for end-user shared passwords, Vault for application dynamic secrets in production, AWS Secrets Manager for AWS-native rotation of RDS credentials, EnvKey for solo-engineer dev environment secrets. Multi-platform costs more in licensing but matches each use case to its native pricing model. The risk is sprawl; designate one platform as the canonical source of truth for each secret type and document the boundaries.

When does 1Password Secrets beat dedicated platforms?

When the team already pays for 1Password Business at $7.99/user. Secrets Automation is bundled at no extra cost, which means the dev secrets workflow becomes a free benefit of an already-signed contract. The catch is feature depth; Vault and Doppler ship dynamic secrets generation that 1Password Secrets does not match. For 1Password-already teams who need basic developer secrets workflow, Secrets Automation is the proven entry; for teams needing dynamic secrets, dedicated platforms cover better.

What about OpenBao as a Vault alternative?

OpenBao is the Linux Foundation fork of Vault that maintains the MPL 2.0 license Vault left in late 2023. As of May 2026, OpenBao is community-maintained with active development, and the API plus storage backends remain compatible with Vault OSS. Production-readiness is improving but the enterprise reference base is much smaller than Vault. For MPL licensing today, Infisical (MIT) is the more mature pick; OpenBao is worth tracking for Vault-API compatibility plus MPL.

When does this guide get updated?

We aim to refresh /best/ guides quarterly when there are no major shifts, and immediately when there are. Major triggers: vendor pricing changes (rates stable through May 2026), new entrants (OpenBao maturity progression, Bitwarden Secrets Manager broader release), Vault license or HashiCorp commercial pricing changes, AWS Secrets Manager free-tier policy changes, Infisical post-Series A pricing changes. The lastReviewed date at the top reflects the most recent editorial sweep.

Subrupt Editorial

The team behind subrupt.com. We track subscriptions, surface cheaper alternatives, and publish buying guides where the score formula is on the page so you can recompute it yourself. We do not claim 30,000 hours of testing. What we claim is live pricing from our database, a transparent composite score, and honest savings math against a category baseline.

Last reviewed

Citations

Affiliate disclosure: Subrupt earns a commission when you switch to a service through our recommendation links. This never changes the price you pay. We only recommend services where there's a real cost or feature advantage for you, and our picks are based on the data on this page, not on which programs pay the most.

Related buying guides

Buying guide

Best Threat Intelligence Platforms of 2026

Read guide

Buying guide

Best VPNs of 2026

Read guide

Buying guide

Best Free VPNs of 2026

Read guide

Track your subscriptions on Subrupt

Add the Secrets Management you pay for and see how much you'd save by switching.

Open dashboard

More buying guides

Independent rankings for the subscriptions worth paying for.

See all guides