DevOps Secrets Management 2026 Deep Dive - Doppler, Infisical, HashiCorp Vault, AWS Secrets Manager, 1Password CLI, Bitwarden Secrets, SOPS, age

"Secrets are not code. Secrets are data, and data belongs inside a system that handles them — with rotation, auditing, isolation, and access control." — Armon Dadgar, HashiCorp co-founder, KubeCon 2024

The September 2023 Microsoft AI researcher SAS-token leak (38TB of internal data exposed on public GitHub for over a year) and the January 2023 CircleCI breach (every customer environment variable leaked) drove the same lesson home again. "Do not commit .env files" — the advice from 2010 — is no longer enough to stop the threats of 2026. Secrets must live inside a "secrets management platform" that combines rotation, audit logs, workload identity, isolated environment variable injection, push protection, and KMS envelope encryption.

As of May 2026, the DevOps secrets management market has split into five camps. Cloud-native SaaS (Doppler, Infisical), enterprise vaults (HashiCorp Vault, CyberArk Conjur, Akeyless), cloud-managed services (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager), file-based GitOps (SOPS, age, git-crypt, Sealed Secrets), and password manager extensions (1Password CLI, Bitwarden Secrets Manager). This article maps each camp's flagship tools, their workflows, Korean/Japanese adoption patterns, and the real incidents that drove change.

1. Why Secrets Management Matters - The End of the .env File

Through the late 2010s, developers accepted .env files as the standard. python-dotenv, dotenv-rs, and dotenv for Node became the de facto pattern, and "just add it to .gitignore" was considered sufficient protection. The 2020s broke this model from three directions.

First, human error leaks. Real values committed to .env.example, .gitignore failing to apply to other directories, variants like .env.local slipping through ignore patterns — these cases happened constantly. In 2023 Toyota disclosed that credentials exposed on GitHub for five years had threatened the data of 296,019 vehicles.

Second, supply chain attacks. The December 2022 CircleCI breach, the January 2023 LastPass second breach, the September 2023 Microsoft AI Researcher SAS-token leak (38TB) — all of them shared the same root cause: "permanent credentials were baked directly into environment variables." Once leaked, rotation is hard, giving attackers unlimited time.

Third, the rise of AI coding agents. As tools like Claude Code, Cursor, and Aider started reading entire codebases, files with plaintext secrets became inherently dangerous. In 2025 OWASP added "Sensitive Information Disclosure in AI Context" to the LLM Top 10 v2.0.

The solution is simple. Separate secrets from code, store them in a rotatable and auditable external system, and issue only short-lived credentials via workload identity. This is the core principle of secrets management in 2026.

2. The Secrets Management Platform Map - Five Camps

As of May 2026, secrets management solutions fall into the following five categories.

Category	Representative Tools	Pricing Model	Where Used
Cloud SaaS	Doppler, Infisical, HCP Vault Secrets	per-user/per-seat	Startups, mid-size
Enterprise Vault	HashiCorp Vault, CyberArk Conjur, Akeyless	enterprise license	Finance, government
Cloud-Managed	AWS Secrets Manager, Azure Key Vault, GCP Secret Manager	per-secret/per-API	Single-cloud users
File-based GitOps	SOPS, age, git-crypt, Sealed Secrets	open source, free	K8s, GitOps
Password Manager Extension	1Password CLI, Bitwarden Secrets Manager	per-seat	Developer workflow

The key insight is "almost no company uses just one." Most teams combine 1Password for personal secrets, Doppler or Vault for team secrets, External Secrets Operator for K8s secrets, and cloud-managed services for KMS keys. The 2026 best practice is not a single tool but a "layered secrets architecture."

3. Doppler - The De Facto Standard for App Developers

Doppler (Brian Vallelunga, 2018~) is the market leader for cloud-native SaaS secrets management as of May 2026. Based in San Francisco, having raised $20M in Series B, with pricing at Developer$ 24/seat/mo, Team $52/seat/mo, and Enterprise on quote. Customers include Stripe, DoorDash, Instacart, Adobe, and Coca-Cola; estimated ARR is around$ 40M in 2025.

Doppler's core value is threefold. First, the doppler run wrapper. Environment variables are injected only into the child process, not the shell, eliminating .env files entirely. Second, automatic rotation. AWS IAM users, Stripe API keys, Twilio Auth tokens — these integrations rotate on 30/60/90-day schedules with the new values propagated across all environments. Third, environment separation. The same key name maps to different values in dev/stg/prod, with promotion between environments visualized like a GitHub Actions pipeline.

# Install Doppler CLI and log in
brew install dopplerhq/cli/doppler
doppler login

# Link a project
doppler setup --project my-app --config dev

# Set secrets
doppler secrets set DATABASE_URL=postgres://localhost/mydb
doppler secrets set STRIPE_API_KEY=sk_test_xxx

# Run the app - env vars injected from Doppler
doppler run -- npm run dev

# Promote to another environment
doppler secrets download --no-file --format env > .env.prod

In April 2026 Doppler GAed Doppler Workplace, which separates workspaces when the same person belongs to multiple companies, and Doppler Audit, which retains secrets access logs for 7 years for SOC 2 / ISO 27001 audit purposes.

4. Infisical - The Open Source + SaaS Balance

Infisical (Maidul Islam, Vladislav Matsiiako, 2022~) is the fastest-rising challenger to Doppler, an open-source-plus-SaaS hybrid. It has 16K GitHub stars and raised $15M in Series A in 2024. Pricing is Free, Pro$ 9/user/mo, Enterprise (includes self-hosted), and the dual ability to "self-host or use the SaaS" is frequently cited as the reason for adoption.

Infisical differentiates on four axes. First, its AGPL-3.0 licensed core allows legal, free self-hosting. Second, end-to-end encryption — client-side encryption ensures even Infisical's servers cannot see plaintext. Third, Universal Auth, a workload identity integration that consumes GitHub Actions, Kubernetes Service Account, and AWS IAM OIDC tokens directly and applies TTLs to issued credentials. Fourth, secret scanning plus broker functionality — infisical scan detects plaintext secrets in your codebase, and dynamic secret issuance (generating fresh database passwords on each request) is also supported.

# .infisical.json example
{
  "workspaceId": "your-workspace-id",
  "defaultEnvironment": "dev",
  "gitBranchToEnvironmentMapping": {
    "main": "prod",
    "staging": "staging",
    "develop": "dev"
  }
}

In March 2026 Infisical GAed Infisical PKI (private certificate management) and Infisical SSH (short-lived SSH certificate issuance), evolving into a "Secrets + PKI + SSH" unified platform. This is a direct attack on HashiCorp Vault's territory.

5. HashiCorp Vault - The Gold Standard of Enterprise Secrets (Post-IBM Acquisition)

HashiCorp Vault (2015~) is the de facto standard for enterprise secrets management. In April 2024 IBM announced the $6.4B acquisition of HashiCorp, completed in February 2025, bringing Vault into IBM's Software portfolio. The license switched from MPL to BSL (Business Source License) in August 2023, and OpenBao has emerged as an OSI-compatible fork.

Vault's core value differs in scale from other solutions. First, dynamic secrets — for PostgreSQL, MySQL, MongoDB, AWS, GCP, and others, Vault generates fresh credentials per request and revokes them after TTL expiry. Second, the Transit Engine — encryption-as-a-service that delegates encrypt/decrypt/sign/verify without exposing keys. Third, the PKI engine — internal CA that issues and rotates certificates. Fourth, 30+ auth methods — Kubernetes, AWS IAM, AppRole, OIDC, JWT, LDAP, AzureAD, GCP, and more.

# Vault Policy example - read-only on a specific secret
path "secret/data/app/production/*" {
  capabilities = ["read", "list"]
}

# Dynamic database credentials - only allow issuance through a role
path "database/creds/readonly" {
  capabilities = ["read"]
}

Vault 1.18 (released 2025) strengthened Workload Identity Federation, and HCP Vault Secrets (managed SaaS) has been repositioned to compete directly with Doppler at $0.50/secret/mo plus API call billing. Vault Enterprise is licensed per node, averaging$ 30,000~$80,000 per year.

6. HashiCorp Boundary - Adjacent Workload Identity + Session Management

Boundary (2020~) is Vault's sister product, focused not on secrets management itself but on "accessing infrastructure with short-lived credentials" — dynamic PAM (Privileged Access Management). For SSH, RDP, DB, and Kubernetes API targets, it opens "user to Boundary to target" sessions in brokered/proxied mode, combining with Vault's dynamic secrets to eliminate permanent SSH keys and permanent DB passwords.

Boundary 0.18 (2025) GAed Multi-Hop Session and Session Recording (SSH/RDP session video recording), satisfying SOC 2 Type 2 and PCI DSS 4.0 audit requirements. It competes with CyberArk PSM and Teleport.

7. AWS Secrets Manager + Parameter Store - The Two Pillars of Cloud-Native

AWS offers two secrets management solutions. AWS Secrets Manager is $0.40/secret/mo plus$ 0.05/10K API calls, with automatic rotation (Lambda-based rotation functions), KMS envelope encryption, and 7-year automated backups at its core. AWS Systems Manager Parameter Store has a free Standard tier (up to 10K parameters) and an Advanced tier at $0.05/parameter/mo; it lacks rotation but is cost-efficient for simple K/V.

In November 2025 AWS expanded Secrets Manager Multi-Region Replication to all regions and strengthened Cross-Account Access via Resource Policy. Managed databases like RDS, ElastiCache, and DocumentDB integrate with Secrets Manager to support 30/60/90-day automatic rotation.

# Fetch a secret with the AWS SDK (Python)
import boto3
import json

client = boto3.client('secretsmanager', region_name='us-east-1')
response = client.get_secret_value(SecretId='prod/db/credentials')
secret = json.loads(response['SecretString'])
db_url = f"postgres://{secret['username']}:{secret['password']}@{secret['host']}/{secret['dbname']}"

The selection guide is simple. If you need rotation, Secrets Manager. If you just need environment variables, Parameter Store. Both natively support IAM-role-based workload identity, letting EC2/ECS/EKS/Lambda fetch secrets without permanent credentials.

8. Azure Key Vault - Unified Secrets, Keys, and Certificates

Azure Key Vault handles three things in one service: Secrets, Keys, and Certificates. The Standard tier is $0.03/10K operations; the Premium tier (HSM-backed) is$ 1/key/mo plus operation costs. Azure Managed HSM (GA in 2025) is a single-tenant HSM pool with FIPS 140-2 Level 3 certification, targeting government and financial customers.

The core strength is Azure AD integration. Through Managed Identity (System-assigned or User-assigned), VMs, App Services, and AKS Pods access Key Vault without permanent credentials, with fine-grained access control via RBAC. Key Vault Reference is a feature that maps secrets directly into App Service environment variables, externalizing secrets without code changes.

9. Google Cloud Secret Manager - The Virtue of Simplicity

GCP Secret Manager is a relatively young service (GA in 2020), priced at $0.06/secret/mo plus$ 0.03/10K access operations. It is a simple K/V model with automatic rotation (triggered by Pub/Sub messages), versioning, and IAM integration.

The differentiator is the maturity of Workload Identity Federation. GCP can map any external identity provider — GitHub Actions, GitLab CI, Azure AD, any OIDC — to a GCP Service Account, letting non-GCP environments access GCP resources without permanent keys. Secret Manager Regional Replication (GA 2025) satisfies EU data residency requirements.

# Fetch a secret from GCP Secret Manager
from google.cloud import secretmanager

client = secretmanager.SecretManagerServiceClient()
name = "projects/my-project/secrets/db-password/versions/latest"
response = client.access_secret_version(request={"name": name})
db_password = response.payload.data.decode("UTF-8")

10. Akeyless - The Vaultless Challenger

Akeyless (Refael Angel, Shai Onn, 2018~) differentiates with the "vaultless" marketing message. Based in Tel Aviv, having raised $65M in Series B in 2022, with enterprise customers including JPMorgan and Cisco. The core is DFC (Distributed Fragments Cryptography) — secrets are split into multiple fragments distributed across different clouds/regions, with no single fragment recoverable on its own.

Functional scope is nearly identical to Vault (secrets, dynamic credentials, PKI, SSH, encryption-as-a-service). Pricing is SaaS-based starting at $0.85/secret/mo. The advantage over Vault is "no self-hosting needed (already distributed)"; the disadvantage is a weaker open-source community.

11. CyberArk Conjur + Conjur Open Source - The PAM Leader's Secrets Extension

CyberArk Conjur is the secrets management product that CyberArk (the #1 enterprise PAM vendor) acquired in 2017. Conjur Open Source is free; Conjur Enterprise is sold bundled with other CyberArk products like PAM and Endpoint Privilege Manager.

Conjur's differentiator is Policy-as-Code. A YAML-based policy language declaratively defines secrets, users, hosts, and permissions, version-controlled in Git. Native Kubernetes integration via the Kubernetes Authenticator is strong, and Conjur forms a two-horse race with Vault in the finance/government market.

12. Delinea Secret Server (formerly Thycotic) + BeyondTrust Password Safe

Thycotic Secret Server merged with Centrify in 2021 and rebranded as Delinea. A traditional powerhouse in the Windows-centric PAM market, with strong Active Directory integration and RDP session management. BeyondTrust Password Safe competes in the same Windows-centric PAM market.

These two solutions are "Windows-admin workflow first, developer workflow second," giving them a different feel from Doppler/Infisical/Vault. They fit environments heavy in Windows servers in finance and government, where REST API and CLI automation are secondary priorities.

13. SOPS (Mozilla) - The Standard for YAML/JSON Encryption

SOPS (Secrets OPerationS, Mozilla 2017~) is a tool that partially encrypts the values inside YAML, JSON, ENV, INI, and Binary files. Key names stay in plaintext while only values are encrypted, making Git diffs meaningful. Backend KMS support includes AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, PGP, and AGE (recommended).

# Plaintext secret
database:
  url: postgres://user:secret_password@host/db
  api_key: sk_live_abc123

# After running sops -e --age pubkey secrets.yaml
database:
    url: ENC[AES256_GCM,data:aBcDeFgH...,iv:...,tag:...,type:str]
    api_key: ENC[AES256_GCM,data:...,iv:...,tag:...,type:str]
sops:
    age:
        - recipient: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
          enc: |
              -----BEGIN AGE ENCRYPTED FILE-----
              ...
              -----END AGE ENCRYPTED FILE-----

SOPS's core strength is GitOps friendliness. GitOps tools like ArgoCD and Flux integrate with SOPS to commit encrypted secrets in K8s manifests and decrypt only inside the cluster. After graduating from CNCF Sandbox, SOPS transitioned to an Independent project in 2024 and is now maintained by the GetSops/sops organization.

14. age (Filippo Valsorda) - Modern File Encryption

age (2019~, Filippo Valsorda) is a modern file encryption tool built to reject GPG's complexity. It uses a single algorithm (X25519 + ChaCha20-Poly1305), key files are simple text files like sshkeygen, and the CLI ends at age -r recipient.

age combined with SOPS is the de facto standard for GitOps secret encryption in 2026. Designate a single user/team key as a SOPS recipient and SOPS automatically delegates to age. age itself is under 1MB as a single binary, with both Go and Rust implementations.

# Generate an age key
age-keygen -o key.txt
# Public key: age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p

# Encrypt a file
age -r age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p secrets.txt > secrets.txt.age

# SSH keys can also be used as recipients
age -R ~/.ssh/authorized_keys secrets.txt > secrets.txt.age

rage (2024 release, Rust implementation by Jack Grigg) is one of age's reference implementations, with memory safety as a strength and sharing the same key format.

15. git-crypt + BlackBox - Git-integrated Encryption

git-crypt (2013~, Andrew Ayer) transparently encrypts specific files inside a Git repository with GPG keys. Specifying secret.yaml filter=git-crypt diff=git-crypt in .gitattributes triggers automatic encryption on commit and automatic decryption on checkout. Unlike SOPS it encrypts entire files, with the drawback that diffs become meaningless.

BlackBox (StackExchange, 2014~) is a similar but older tool, integrating GPG-based file encryption into Git workflows. Both tools are gradually being displaced by SOPS + age combinations in 2026.

16. Sealed Secrets (Bitnami) - Kubernetes-native GitOps

Sealed Secrets (Bitnami/VMware, 2018~) is a K8s-native secrets encryption solution. After installing a controller in the cluster, the controller generates an X.509 keypair, and developers seal plaintext Secrets into SealedSecrets using the kubeseal CLI. The sealed SealedSecret is safely committed to GitHub, with the controller decrypting it only inside the cluster to materialize the real Secret.

# Create plaintext Secret and seal with kubeseal
kubectl create secret generic db-creds --from-literal=password=secret123 --dry-run=client -o yaml \
  | kubeseal --controller-namespace kube-system -o yaml > db-creds-sealed.yaml

# Safely commit the sealed manifest
git add db-creds-sealed.yaml
git commit -m "Add encrypted DB credentials"

The downside of Sealed Secrets is that controller key rotation and cross-cluster secret migration are awkward. External Secrets Operator emerged to address this.

17. External Secrets Operator (ESO) - Abstraction over External Backends

External Secrets Operator (ESO, 2021~) is a K8s controller that abstracts external secret managers (AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, HashiCorp Vault, Doppler, Infisical, 1Password, Bitwarden — over 30 backends). Developers just define an ExternalSecret custom resource declaring "sync this external secret into a K8s Secret."

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: db-credentials
  namespace: production
spec:
  refreshInterval: 1h
  secretStoreRef:
    name: aws-secrets-manager
    kind: ClusterSecretStore
  target:
    name: db-creds
    creationPolicy: Owner
  data:
    - secretKey: password
      remoteRef:
        key: prod/db/credentials
        property: password

After graduating CNCF Sandbox in 2024 and being promoted to Incubating in 2025, ESO has become the de facto standard for K8s secret patterns. v0.10 GAed in May 2026 supports push mode (K8s Secret to external backend) and generators (dynamic credential creation).

18. Vault Secrets Operator + CSI Secret Store Driver - K8s Secret Injection Patterns

HashiCorp's Vault Secrets Operator (VSO) is a Vault-specific version of ESO, exposing Vault's advanced features (dynamic secrets, PKI, Transit) directly as K8s CRs. Compared to ESO it has deeper Vault integration, but the constraint is that only Vault can be used.

The CSI Secret Store Driver (Microsoft/Azure led, Kubernetes SIG-Auth) takes a different approach. Instead of converting secrets into K8s Secret objects, it mounts them directly into Pod volumes. Since plaintext is never stored in etcd, secrets remain protected even if etcd is compromised. AWS, GCP, Azure, and Vault are officially supported providers.

Selection guide: If diversity of external secret managers matters, ESO. If you need Vault depth, VSO. If you do not want secrets in etcd, CSI Driver. Many teams operate the combination of ESO + CSI Driver.

19. 1Password CLI + Secrets Automation + SDKs - Penetrating Developer Workflows

1Password (AgileBits, 1Password Inc., 2006~) entered the developer secrets market in earnest by launching Secrets Automation in 2022. The op CLI lets you reference 1Password vault items directly from the shell, Connect Server (a self-hosted REST API) enables CI/CD integration, and the 1Password SDKs for Go, Python, and JS (released 2024) allow fetching secrets directly from code.

# Run with op CLI injecting secrets into env vars
op run --env-file .env -- npm start

# .env file contents
DATABASE_URL=op://Production/Database/url
STRIPE_KEY=op://Production/Stripe/api_key

1Password's strength is extending a password manager the team already uses into a secrets manager. No new tool to learn, and 1Password Business ($7.99/user/mo) includes Secrets Automation. The weakness is that advanced features like automatic rotation and dynamic secrets are limited.

20. Bitwarden Secrets Manager + bws CLI - Open Source and Reasonable Pricing

Bitwarden (8bit Solutions, 2016~) launched Secrets Manager as a separate product in 2023. Personal use is free; Teams is $6/user/mo plus$ 0.40/secret/mo; Enterprise is $12/user/mo. About 30% cheaper than 1Password, with the server code under GPL-3.0 allowing self-hosting.

The bws CLI provides nearly identical workflows to op, with integrations ready for GitHub Actions, GitLab CI, Jenkins, and Kubernetes. As Vaultwarden (an unofficial Rust implementation) gained popularity as a self-host option in 2024, it has become the alternative for "teams burdened by 1Password license costs."

21. LastPass / Dashlane / Keeper - The Position After the Breaches

LastPass suffered two breaches in August and December 2022 (the December breach particularly leaked the entire encrypted vault data) which severely shook trust, and in 2024 multi-LastPass-user crypto thefts were traced and reported. Despite this, LastPass Business ($7/user/mo) is still in use, but its share in the developer secrets manager market is shrinking rapidly compared to 1Password and Bitwarden.

Other password managers like Dashlane, Keeper, and Roboform have added Secrets Manager features, but their developer workflow integration depth lags 1Password and Bitwarden.

22. dotenv-vault, doppler run, vault agent, direnv - Workflow Integration Patterns

Often "how secrets are injected into the app" matters more than the secrets manager itself. The four major patterns in 2026 are as follows.

dotenv-vault (Mot, 2022~) keeps .env files in place but converts them into encrypted .env.vault files that can be committed to Git. A client SDK receives per-environment decryption keys at runtime to decrypt. It is the path of least friction for retaining .env workflows.

The doppler run / infisical run / op run patterns inject env vars into child processes without polluting the shell. The safest pattern in CI/CD.

Vault Agent runs as a sidecar, fetching secrets from Vault and exposing them as files or environment variables. Most often deployed as a K8s Init Container or Sidecar.

The direnv + sops combination joins directory-scoped auto-loaded env vars (direnv) with GitOps-friendly encryption (sops) into a developer-friendly pattern. Particularly popular among NixOS users.

23. gopass, pass, and UNIX Classic Alternatives

The UNIX classic pass (2012~, Jason Donenfeld) is the simplest model — GPG-encrypted text files stored in a directory tree. Commands like pass insert facebook/myemail add secrets, and the entire store can be committed to a Git repository as-is.

gopass (2017~) is a Go implementation that maintains compatibility with pass while adding multi-key, multi-mount, OTP, and autocompletion for team use. Still used in small teams as a self-host option. The weakness is the absence of enterprise features like rotation and auditing.

24. GitGuardian, TruffleHog, gitleaks - Secret Scanning (Detection)

Finding plaintext secrets already in your codebase is a separate industry. GitGuardian (Paris, 2017~) is the market leader, detecting 350+ secret types with GitHub/GitLab/Bitbucket integration and automatic alerting/rotation workflows. Pricing starts at Business $42/dev/mo.

TruffleHog (Truffle Security, 2017~) is an open-source-plus-commercial hybrid, supporting self-hosting and detecting 700+ secret types. The CLI is free; the commercial version adds verification (calling the API to confirm a found key is actually valid).

gitleaks (Zach Rice, 2018~) is a fully open-source single-binary tool, commonly used in pre-commit hooks and CI integration. Pattern definition files (.gitleaks.toml) make customization easy.

# Scan a codebase with gitleaks
gitleaks detect --source . --verbose

# Block secret commits via pre-commit hook
cat > .git/hooks/pre-commit <<EOF
#!/bin/sh
gitleaks protect --staged --verbose
EOF
chmod +x .git/hooks/pre-commit

25. GitHub Secret Scanning + Push Protection, GitLab Secret Detection, Spectral

GitHub's Secret Scanning is free for public repos or available with a GitHub Advanced Security license, detecting 200+ token types via GitHub-managed patterns and notifying issuers directly. Push Protection (GAed 2023) blocks pushes containing secrets outright, shifting the paradigm from "rotate after the leak" to "stop the leak itself."

GitLab bundles Secret Detection in its Ultimate tier, while Spectral (acquired by Check Point, 2021~) offers SaaS secret scanning similar to GitGuardian.

The 2026 best practice is "push protection to block ahead + scanning to detect afterward + automated rotation workflows" — a three-layer defense.

26. KMS - AWS KMS, GCP KMS, Azure Key Vault HSM, Vault Transit

Beneath secret managers sits a deeper layer, Key Management Service (KMS). KMS manages not the secret itself but the keys that encrypt the secret. In the envelope encryption pattern, the KMS master key is never exposed; only data keys (DEKs) are used for issuance, encryption, and decryption.

AWS KMS charges $1/key/mo plus$ 0.03/10K API calls. GCP KMS and Azure Key Vault HSM are similarly priced. The HashiCorp Vault Transit Engine is encryption-as-a-service that delivers the same pattern in a self-hosted form.

YubiHSM 2 (Yubico) is a USB-form hardware HSM at around $650, well suited to a small team's root CA key storage. Cloudflare Keyless SSL is a model that delegates only TLS handshake signing while keeping the private key inside the customer's datacenter, never exposed to Cloudflare.

27. OIDC, Workload Identity, SPIFFE/SPIRE - A Secret-less Future

The real direction of secrets management in 2026 is "not managing secrets better but using workload identity that needs no secrets at all."

The GitHub OIDC + AWS IAM OIDC Trust pattern is the most widely adopted. AWS IAM trusts the short-lived JWT issued by GitHub Actions, allowing Actions to access AWS resources without an AWS Access Key. In 2024 GitLab CI, CircleCI, Buildkite, and Bitbucket Pipelines all adopted the same OIDC pattern.

SPIFFE/SPIRE (CNCF Graduated, 2022) is the industry standard for workload identity. It issues short-lived X.509 or JWT SVIDs (SPIFFE Verifiable Identity Documents) to workloads, enabling mTLS and authorization between workloads without pre-baked secrets.

Pomerium, Teleport, and OPA (Open Policy Agent) handle policy-based access control in adjacent territory. Teleport in particular offers short-lived certificate-based access to SSH, Kubernetes, DB, and web apps, frequently used to eliminate permanent SSH keys.

28. Mobile + Frontend - Expo Secrets, React Native Keychain, Capacitor

Mobile and frontend require different secret models. Build-time secrets (API keys), runtime secrets (user tokens), and keychain secrets (biometric-protected credentials) each need different handling.

Expo Secrets and EAS Secrets separately handle build-time and runtime environment variables for React Native apps. React Native Keychain (oblador) unifies iOS Keychain and Android Keystore behind a single API. Capacitor Secure Storage (Ionic) plays the same role in Capacitor apps.

Browser frontends have almost no way to safely store secrets on their own. The best practice is "do not put secrets in the browser; hide all secret use behind a server API." JWTs in HttpOnly+Secure cookies, OAuth tokens behind the BFF (Backend-for-Frontend) pattern.

29. Compliance - SOC 2, PCI DSS 4.0, ISO 27001:2022, FedRAMP, HIPAA

Secrets management is not just a technology problem but a compliance requirement. The major requirements as of May 2026 are as follows.

SOC 2 Type 2 requires 7-year retention of secrets access logs, quarterly access reviews, and automatic rotation. PCI DSS 4.0 (effective March 2024) added stronger requirements including key rotation within 1 year, HSM usage, and dual control of key storage. ISO 27001:2022 addresses secrets management directly in Annex A.8.24 (use and protection of keys) and A.5.16 (identity management).

FedRAMP High requires HSMs at FIPS 140-2 Level 3 or above, separate key storage, and multiple authorized administrators for US government systems, while HIPAA requires keeping all PHI-access secret-use logs for at least 6 years.

Tool selection requires checking compliance certifications. AWS Secrets Manager, GCP Secret Manager, Azure Key Vault, and HashiCorp Vault Enterprise all hold SOC 2 / ISO 27001 / FedRAMP. Doppler and Infisical also hold SOC 2 Type 2.

30. Korean Adoption - NAVER, KAKAO, NCSOFT, FSI

NAVER Cloud Secret Manager (GA 2022) is the NAVER Cloud Platform internal service integrated with KMS. Inside NAVER, a self-developed secrets management platform is used, while NAVER Cloud Secret Manager is offered to external customers.

KAKAOENT (Kakao Entertainment) operates HashiCorp Vault on top of its own KMS infrastructure, a case presented at if(kakao) 2024. The Vault setup is multi-tenant to unify management across game and entertainment subsidiaries.

Major Korean tech companies like NCSOFT, KakaoBank, and Toss (Viva Republica) mostly run Vault or their own solutions. The Financial Security Institute's (FSI) "Electronic Financial Supervision Regulations" and "Cloud Usage Guidelines for the Financial Sector" define the de facto standard requirements for Korean financial secrets management. Requirements include key rotation cycles, separate key storage, and additional controls when using cloud KMS.

31. Japanese Adoption - Sakura Cloud, Mercari, Smartbank, NTT

Sakura Cloud Secret Manager (GA 2023) is a domestic-cloud secret manager in Japan, targeting government and financial customers with strong data residency (domestic storage) requirements. Mercari and Smartbank are known to operate GCP Secret Manager + HashiCorp Vault combinations, and Mercari published a Vault workload identity migration case in its 2024 Engineering Blog.

NTT Communications offers its own secrets management service, integrated into the Japanese Government Cloud (政府共通プラットフォーム). Companies like DeNA, CyberAgent, and LINE Yahoo have also publicly presented Vault-based operational cases.

A peculiarity of the Japanese market is APPI (Act on the Protection of Personal Information) and data residency requirements. AWS Secrets Manager Tokyo region and GCP Secret Manager Tokyo/Osaka regions are often mandated, and domestic provider solutions like Sakura Cloud or IIJ hold higher share than cloud-wide averages.

32. Real Incidents - Uber 2022, Microsoft AI 38TB, CircleCI 2023

Three major incidents from 2022 to 2023 shifted the secrets management paradigm.

Uber September 2022 breach — an attacker who phished a contractor's credentials discovered PAM (Thycotic) admin credentials baked into an internal Uber PowerShell script, kicking off the breach. This granted access to nearly every system including G-Suite, AWS, Slack, and GitHub. The lesson was "do not bake permanent credentials into automation scripts; use workload identity instead."

Microsoft AI Researcher SAS token leak (discovered June 2023, disclosed September 2023) — an Azure Storage SAS URL used by a Microsoft AI researcher to publish model weights on GitHub effectively granted write permissions to the entire container with no expiration. 38TB of internal data (personal files, passwords, 30K+ Teams messages) was externally exposed for over a year. The lessons were "never create non-expiring credentials like SAS tokens" and "use automated secret scanning to detect credential leaks."

CircleCI January 2023 breach — malware on a CircleCI employee's laptop stole session cookies, bypassed MFA, accessed internal systems, and exposed every customer's environment variables and contexts. CircleCI requested all customers rotate their secrets, and this incident accelerated the pattern shift toward "do not store plaintext secrets in CI/CD systems; inject dynamically via external secret managers."

33. Cost Comparison - Real Pricing (May 2026)

Assuming a 100-developer team, 10K secrets, and 1M secret accesses per month.

Solution	Monthly Cost (USD)	Notes
Doppler Team	$5,200	$52 × 100 seats
Infisical Pro	$900	$9 × 100 users
HCP Vault Secrets	$5,000 + API	$0.50 × 10K secrets
Vault Enterprise	$6,000~	Per-node license
AWS Secrets Manager	$4,050	$0.40 × 10K + API
GCP Secret Manager	$630	$0.06 × 10K + API
Azure Key Vault	$300~	Operation-based
1Password Business	$800	$7.99 × 100
Bitwarden Teams	$4,600	$6 × 100 +$ 0.40 × 10K
SOPS + age	$0	Open source, infra cost only

Pure pricing favors SOPS + age overwhelmingly, but factoring in operational overhead (key rotation, member churn key redistribution, GitOps integration), Doppler/Infisical-class SaaS can be cheaper overall.

34. Decision Tree - Which Solution to Choose

A guide by scale and compliance needs.

1-10 person startup — 1Password Business + GitHub Actions OIDC combination. Covers 80% without additional tools. When you need secret rotation, add Doppler Developer ($24).

10-100 person Series-B-plus startup — Doppler Team or Infisical Pro. If running K8s, ESO with the same backend. Secret scanning via gitleaks (free) + GitHub Push Protection.

100-1000 person growth stage — Doppler/Infisical as primary, with AWS Secrets Manager integrated directly into AWS-native workloads like RDS and ECS. Secret scanning via GitGuardian or commercial TruffleHog.

1000+ enterprise, finance/government — HashiCorp Vault Enterprise + Boundary + HCP Vault. SPIFFE/SPIRE for workload identity integration. CyberArk Conjur worth reviewing if combined with PAM. Compliance (SOC 2 / PCI / FedRAMP) certifications are mandatory.

K8s-centric teams — External Secrets Operator + (Doppler / Infisical / AWS Secrets Manager / Vault). Sealed Secrets only for simple cases; if GitOps friendliness is core, SOPS + age + ArgoCD.

35. Migration Guide - From .env to a Secrets Manager

Six steps to migrate an existing .env-based project to a secrets manager.

Scan and clean up — run gitleaks detect to find secrets already committed and rotate them immediately on discovery. Removing history with git filter-repo is a secondary measure — once leaked, rotation comes first.
Choose and set up a secrets manager — pick a tool using the decision tree above. Both Doppler and Infisical offer free tiers for PoC.
Define the developer workflow — choose a wrapper like doppler run, infisical run, or op run and integrate it into package.json or Makefile.
Migrate CI/CD — move GitHub Actions Secrets into the manager and switch to issuing only short-lived credentials via OIDC. Replace all permanent credentials (AWS Access Key, GCP Service Account Key) with OIDC.
Migrate production workloads — if K8s, install ESO and progressively convert Secrets to ExternalSecrets. If ECS/Lambda, replace env var references with Secrets Manager ARNs.
Verify and operate — set up monitoring and alerting. Register rotation schedules, automate quarterly access reviews, and integrate secret scanning into CI.

36. Closing - The Principles of 2026 Secrets Management

Closing with five principles of secrets management for 2026.

First, separate secrets from code. .env files only in local development; every other environment receives injected values from a manager.

Second, eliminate permanent credentials via workload identity. GitHub OIDC, AWS IAM Roles, GCP Workload Identity, SPIFFE/SPIRE — use short-lived authentication everywhere it is possible.

Third, automatic rotation applied to all database credentials, API keys, and TLS certificates. Secrets that cannot be rotated should be banned from use.

Fourth, dual defense of preemptive block plus post-detection. Push Protection and secret scanning together block and detect leaks.

Fifth, automate auditing and review. Send all secrets access logs to a SIEM and auto-trigger quarterly access reviews.

Secrets are not a "storage" problem but a "lifecycle" problem. A platform that automatically handles the full process — issuance, use, rotation, and decommissioning — is the 2026 standard.

References

Doppler — Pricing and Documentation: https://www.doppler.com/pricing
Infisical — Open Source Secrets Management: https://infisical.com/
HashiCorp Vault — Documentation: https://developer.hashicorp.com/vault
HashiCorp Boundary — Documentation: https://developer.hashicorp.com/boundary
HCP Vault Secrets — Product Page: https://www.hashicorp.com/products/vault/secrets-management
IBM Acquisition of HashiCorp — Press Release: https://newsroom.ibm.com/2024-04-24-IBM-To-Acquire-HashiCorp-Inc-Creating-a-Comprehensive-End-to-End-Hybrid-Cloud-Platform
AWS Secrets Manager — Documentation: https://docs.aws.amazon.com/secretsmanager/
AWS Systems Manager Parameter Store — Documentation: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-parameter-store.html
Azure Key Vault — Documentation: https://learn.microsoft.com/en-us/azure/key-vault/
Google Cloud Secret Manager — Documentation: https://cloud.google.com/secret-manager/docs
Akeyless — DFC Whitepaper: https://www.akeyless.io/distributed-fragments-cryptography/
CyberArk Conjur — Open Source: https://www.conjur.org/
SOPS — GitHub: https://github.com/getsops/sops
age — GitHub (Filippo Valsorda): https://github.com/FiloSottile/age
git-crypt — GitHub: https://github.com/AGWA/git-crypt
Sealed Secrets — GitHub (Bitnami): https://github.com/bitnami-labs/sealed-secrets
External Secrets Operator — Documentation: https://external-secrets.io/
Vault Secrets Operator — HashiCorp Docs: https://developer.hashicorp.com/vault/docs/platform/k8s/vso
CSI Secret Store Driver — GitHub: https://github.com/kubernetes-sigs/secrets-store-csi-driver
1Password Developer — Documentation: https://developer.1password.com/
Bitwarden Secrets Manager — Product Page: https://bitwarden.com/products/secrets-manager/
GitGuardian — State of Secrets Sprawl Report 2025: https://www.gitguardian.com/state-of-secrets-sprawl-report-2025
TruffleHog — GitHub: https://github.com/trufflesecurity/trufflehog
gitleaks — GitHub: https://github.com/gitleaks/gitleaks
GitHub Secret Scanning + Push Protection: https://docs.github.com/en/code-security/secret-scanning
SPIFFE/SPIRE — CNCF Graduated Project: https://spiffe.io/
Teleport — Documentation: https://goteleport.com/docs/
Microsoft AI SAS Token Leak (Wiz Research, 2023): https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers
CircleCI Security Incident Report (January 2023): https://circleci.com/blog/jan-4-2023-incident-report/
Uber 2022 Breach — Statement: https://www.uber.com/newsroom/security-update
PCI DSS 4.0 — PCI Security Standards Council: https://www.pcisecuritystandards.org/document_library/
NAVER Cloud Secret Manager — Official Documentation: https://www.ncloud.com/product/security/secretManager
Mercari Engineering — Vault Migration Blog: https://engineering.mercari.com/en/blog/
Financial Security Institute (FSI) — Cloud Usage Guidelines: https://www.fsec.or.kr/