Best open-source secrets management tools

Open-source secrets management tools you can self-host and inspect. A neutral list of the open-source secrets management options in our directory, compared on capabilities, deployment, and sources. We do not crown a single winner; tools are listed alphabetically.

9 tools listed|2026|No editorial scoring

What this shortlist looks at

Tools listed here

Bitwarden (Business)

Security-conscious organizations wanting an affordable, auditable, and self-hostable password manager

Open-source enterprise password manager with self-hosting and transparent security

Open-source enterprise password manager with self-hosting and transparent security

View listingBitwarden (Business) alternatives

cert-manager

Any Kubernetes team that needs TLS. Which is nearly all of them

Kubernetes certificate controller supporting Let's Encrypt, Vault, and more

Kubernetes certificate controller supporting Let's Encrypt, Vault, and more

View listingcert-manager alternatives

CyberArk Conjur

Large enterprises with complex compliance and PAM requirements

Enterprise privileged access and secrets management platform

Enterprise privileged access and secrets management platform

View listingCyberArk Conjur alternatives

External Secrets Operator

Kubernetes teams that want to use cloud-native or Vault secrets directly in pods

K8s operator that syncs secrets from external stores into Kubernetes Secrets

K8s operator that syncs secrets from external stores into Kubernetes Secrets

View listingExternal Secrets Operator alternatives

HashiCorp Vault

Teams needing flexible, self-hosted secrets management with extensive plugin ecosystem

Industry-standard open-source secrets management platform

Industry-standard open-source secrets management platform

View listingHashiCorp Vault alternatives

Infisical

Teams wanting open-source with a modern developer experience

Open-source end-to-end encrypted secrets management for teams

Open-source end-to-end encrypted secrets management for teams

View listingInfisical alternatives

Sealed Secrets

Small-to-medium Kubernetes teams doing pure GitOps without a separate secrets backend

Encrypt Kubernetes secrets into a format safe to store in Git

Encrypt Kubernetes secrets into a format safe to store in Git

View listingSealed Secrets alternatives

SOPS

Infrastructure-as-code teams that want encrypted-in-Git secrets with a simple CLI

CLI tool for encrypting YAML/JSON/ENV files with KMS, age, or PGP

CLI tool for encrypting YAML/JSON/ENV files with KMS, age, or PGP

View listingSOPS alternatives

SPIFFE / SPIRE

Platform teams running microservices at scale that need to replace static service credentials

Workload identity standard: short-lived SVIDs replace shared service secrets

Workload identity standard: short-lived SVIDs replace shared service secrets

View listingSPIFFE / SPIRE alternatives