Secrets Management: 19 Tools compared

Managing API keys, database credentials, certificates, and machine identities across CI/CD pipelines, Kubernetes clusters, and cloud infrastructure. Whether you need enterprise-grade compliance, open-source flexibility, or cloud-native…

19 tools|Updated March 2026

Quick comparison

All secrets management tools side by side, alphabetical.

ToolDeploymentPricing modelOpen sourceStandards / certs
1Password (Business)CloudPer-userSOC 2 Type IIISO 27001
AkeylessCloudCustom enterpriseISO 27001SOC 2FIPS 140-3
AWS Secrets ManagerCloudPer-secretSOC 2ISO 27001PCI DSS
Azure Key VaultCloudPer-operation
Bitwarden (Business)Cloud + Self-hostedPer-userYesISO 27001SOC 2 Type IISOC 3
cert-managerSelf-hostedOpen SourceYes
CyberArk ConjurCloud + Self-hostedEnterprise licenseYes
Delinea Secret ServerCloud + Self-hostedAnnual licenseSOC 2 Type IIISO 27001
DopplerCloudPer-userSOC 2 Type IIISO 27001
External Secrets OperatorSelf-hostedOpen SourceYes
Google Cloud Secret ManagerCloudPer-operationSOC 2ISO 27001FedRAMP
HashiCorp VaultCloud + Self-hostedOpen Source + EnterpriseYesSOC 2 Type IIISO 27001PCI DSS
InfisicalCloud + Self-hostedPer-userYesSOC 2HIPAAFIPS 140-3
Keeper (Business)CloudPer-user
Pulumi ESCCloudPer-user tiersSOC 2 Type 2
Sealed SecretsSelf-hostedOpen SourceYes
SOPSSelf-hostedOpen SourceYes
SPIFFE / SPIRESelf-hostedOpen SourceYes
SplitSecureCloud + Self-hostedTiered (free / per-seat / enterprise)

1Password (Business)

Developer Platform
Best fit for

Teams wanting combined password management and developer secrets automation

1Password for Business extends the popular password manager into secrets automation for development teams. It provides secure credential sharing, CI/CD secrets injection, SSH key management, and service account tokens for automated workflows.

Pricing

Business from $7.99/user/month

Per-user

Deployment

Cloud

Standards & certifications

SOC 2 Type IIISO 27001

Akeyless

Secrets Management
Best fit for

SaaS-based zero-knowledge secrets management platform

Akeyless is a SaaS-based secrets management platform that uses a proprietary zero-knowledge encryption architecture called DFC (Distributed Fragments Cryptography). It provides centralized credential management, dynamic secrets, automatic rotation, and secure remote access across hybrid and multi-cloud environments.

Pricing

Custom pricing / Free community tier

Custom enterprise

Deployment

Cloud

Standards & certifications

ISO 27001SOC 2FIPS 140-3PCI DSS
Best fit for

Teams already on AWS who want native integration

AWS Secrets Manager is a fully managed service that helps you protect access to your applications, services, and IT resources. It enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle.

Pricing

$0.40/secret/month + $0.05/10k API calls

Per-secret

Deployment

Cloud

Standards & certifications

SOC 2ISO 27001PCI DSSHIPAAFedRAMP

Azure Key Vault

Cloud-Native
Best fit for

Microsoft and Azure-centric organizations

Azure Key Vault is Microsoft's cloud service for securely storing and accessing secrets, keys, and certificates. It provides centralized secrets management with full control over access policies, and integrates deeply with Azure services and Active Directory.

Pricing

Secrets: $0.03/10k operations / Keys: from $1/key/month

Per-operation

Deployment

Cloud

Bitwarden (Business)

Enterprise Password Management
Best fit for

Security-conscious organizations wanting an affordable, auditable, and self-hostable password manager

Bitwarden is an open-source password management solution trusted by millions of users and thousands of organizations worldwide. The business tier provides enterprise-grade credential management with end-to-end encryption, flexible self-hosting options, and deep integration with identity providers. Its transparent, auditable codebase and affordable per-user pricing make it a compelling alternative to proprietary password managers for security-conscious organizations.

Pricing

Teams from $4/user/month / Enterprise from $6/user/month

Per-user

Deployment

CloudSelf-HostedOpen Source

Standards & certifications

ISO 27001SOC 2 Type IISOC 3HIPAA

cert-manager

Secrets Management
Best fit for

Any Kubernetes team that needs TLS. Which is nearly all of them

cert-manager is a widely used Kubernetes controller for X.509 certificate management. It automates the issuance and renewal of certificates from Let's Encrypt, HashiCorp Vault, Venafi, AWS Private CA, Google CAS, and internal CA setups. cert-manager is a CNCF Graduated project originally built by Jetstack, and it's the go-to tool for any team running TLS on Kubernetes.

Pricing

Free (open source); enterprise support from Venafi/CyberArk

Open Source

Deployment

Self-HostedOpen Source

CyberArk Conjur

Enterprise
Best fit for

Large enterprises with complex compliance and PAM requirements

CyberArk Conjur is an enterprise-grade secrets management solution that secures secrets used by machine identities. Part of the CyberArk Identity Security Platform, it provides centralized secrets management with policy-as-code and deep DevOps integration.

Pricing

Open source Community edition free. Enterprise reference: Conjur Cloud about $845 per workload identity/yr (base about $84,500/yr for 100 identities; Texas DIR reseller pricelist, 2023). Full enterprise pricing on request.

Enterprise license

Deployment

CloudSelf-HostedOpen Source
Best fit for

Enterprises focused on privileged access management and compliance

Delinea Secret Server is an enterprise privileged access management (PAM) solution that stores, controls, and audits access to privileged credentials. It provides automated password rotation, session monitoring, and compliance reporting for large organizations.

Pricing

Quote-based. Published list: Secret Server Cloud Professional from about GBP 348 per user/yr, Platinum from about GBP 1,253 per user/yr (UK G-Cloud 14, 2024; ex-VAT). Contact the vendor for USD/commercial pricing.

Annual license

Deployment

CloudSelf-Hosted

Standards & certifications

SOC 2 Type IIISO 27001

Doppler

Developer Platform
Best fit for

Development teams wanting a simple, modern secrets workflow

Doppler is a developer-first secrets management platform that centralizes environment variables and secrets across all your applications. It provides a universal secrets manager that syncs across local dev, CI/CD, staging, and production environments.

Pricing

See the vendor site for current pricing.

Per-user

Deployment

Cloud

Standards & certifications

SOC 2 Type IIISO 27001

External Secrets Operator

Secrets Management
Best fit for

Kubernetes teams that want to use cloud-native or Vault secrets directly in pods

External Secrets Operator (ESO) is a Kubernetes operator that syncs secrets from external stores (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, Azure Key Vault, 1Password, and many more) into native Kubernetes Secrets. It is the de facto standard for integrating external secret backends with Kubernetes workloads, with broad community adoption and graduated CNCF status.

Pricing

Free (open source)

Open Source

Deployment

Self-HostedOpen Source
Best fit for

Teams running workloads on Google Cloud Platform

Google Cloud Secret Manager is a secure and convenient storage system for API keys, passwords, certificates, and other sensitive data. It provides a central place to manage, access, and audit secrets across Google Cloud with automatic versioning.

Pricing

Free tier: 6 active secret versions + 10k access operations + 3 rotation notifications/month; then $0.06 per active secret version/month and $0.03 per 10,000 access operations

Per-operation

Deployment

Cloud

Standards & certifications

SOC 2ISO 27001FedRAMPHIPAA

HashiCorp Vault

Open Source
Best fit for

Teams needing flexible, self-hosted secrets management with extensive plugin ecosystem

HashiCorp Vault is a widely adopted open-source secrets management tool. It provides a unified interface for managing secrets, encrypting data in transit, and controlling access to sensitive information across distributed infrastructure. Vault supports dynamic secrets, leasing, and revocation.

Pricing

Free self-managed Community edition (Business Source License, not true OSS); HCP Vault Dedicated managed cloud from $0.03/hr (about $22/mo) Development tier (HCP rates as of 2022; tiers have since been renamed, verify current pricing), production tiers from about $1.58/cluster-hr plus per-client fees; Vault Enterprise self-managed license is quote-only (contact sales).

Open Source + Enterprise

Deployment

CloudSelf-HostedOpen Source

Standards & certifications

SOC 2 Type IIISO 27001PCI DSS

Infisical

Open Source
Best fit for

Teams wanting open-source with a modern developer experience

Infisical is an open-source secrets management platform built for modern development teams. It provides end-to-end encrypted secret syncing, automatic secret rotation, and integrations with popular development tools and cloud platforms.

Pricing

Free (self-hosted or Cloud); paid Cloud (Pro) from $18/mo per identity; Enterprise custom

Per-user

Deployment

CloudSelf-HostedOpen Source

Standards & certifications

SOC 2HIPAAFIPS 140-3

Keeper (Business)

Enterprise Password Management
Best fit for

Compliance-focused enterprises needing zero-knowledge security and dark web monitoring

Keeper Security is a zero-knowledge enterprise password management and secrets management platform designed for organizations with strict security and compliance requirements. It offers encrypted vault storage, dark web monitoring through BreachWatch, privileged access management, and robust admin controls. Keeper is SOC 2 and ISO 27001 certified and supports granular role-based policies for managing credentials across large teams.

Pricing

Business Starter from $2/user/month / Business from $3.75/user/month / Enterprise custom pricing

Per-user

Deployment

Cloud

Pulumi ESC

Secrets Management
Best fit for

Teams using Pulumi for IaC who need a secrets layer that composes multiple backends

Pulumi ESC (Environments, Secrets, Configuration) is a secrets and configuration platform that lets you compose environments from multiple secret sources (AWS, Vault, Doppler, 1Password) and expose them as environment variables, files, or direct SDK calls. ESC is tightly integrated with Pulumi's infrastructure-as-code platform but works as a standalone tool too.

Pricing

Free tier (Pulumi Cloud Individual, $0); ESC metered per secret from $0.50/secret/mo (Team) and $0.75/secret/mo (Enterprise), on top of base tiers Team $40/mo and Enterprise $400/mo

Per-user tiers

Deployment

Cloud

Standards & certifications

SOC 2 Type 2

Sealed Secrets

Secrets Management
Best fit for

Small-to-medium Kubernetes teams doing pure GitOps without a separate secrets backend

Sealed Secrets is a Kubernetes controller from Bitnami that lets you store encrypted secrets directly in Git. You use the kubeseal CLI to encrypt a regular Kubernetes Secret into a SealedSecret custom resource, which only the controller running in your cluster can decrypt. This makes secret material safe to commit, review, and diff in version control without a separate secrets manager.

Pricing

Free (open source)

Open Source

Deployment

Self-HostedOpen Source

SOPS

Secrets Management
Best fit for

Infrastructure-as-code teams that want encrypted-in-Git secrets with a simple CLI

SOPS (Secrets OPerationS) is a command-line tool for editing encrypted files. It uses KMS keys (AWS KMS, GCP KMS, Azure Key Vault, HashiCorp Vault, age, or PGP) to encrypt only the values in YAML, JSON, ENV, or INI files. Leaving the keys readable so you can diff changes in Git. Originally created at Mozilla and now a CNCF Incubating project, SOPS is a favorite for teams that want encrypted-in-Git secrets without adopting a full operator.

Pricing

Free (open source)

Open Source

Deployment

Self-HostedOpen Source

SPIFFE / SPIRE

Secrets Management
Best fit for

Platform teams running microservices at scale that need to replace static service credentials

SPIFFE (Secure Production Identity Framework For Everyone) is a CNCF-graduated open standard for workload identity, and SPIRE is the reference implementation. Instead of giving workloads shared secrets, SPIRE issues short-lived, cryptographically verifiable identities (SVIDs) to each service, using attestation (where is this workload running, what image, what namespace) to prove who it is. SPIFFE is the foundation for zero-trust service-to-service authentication at companies like Bloomberg, Uber, and Square.

Pricing

Free (open source)

Open Source

Deployment

Self-HostedOpen Source

SplitSecure

Privileged Access Management
Best fit for

Highest-sensitivity accounts, regulated industries, and MSPs needing zero vendor dependency

SplitSecure is a distributed secrets management platform that splits credentials across multiple devices you control using Shamir Secret Sharing. No single device holds a complete credential, and secrets never leave your environment. Designed for highest-sensitivity accounts in regulated industries where vendor dependency is unacceptable.

Pricing

Free ($0) for orgs under $10M revenue; Starter $149/mo (5 seats); Enterprise custom

Tiered (free / per-seat / enterprise)

Deployment

CloudSelf-Hosted

Related guides

Other categories you might be evaluating alongside secrets management.

About this listing

Secrets Management tools, listed alphabetically and compared on public information. How we work →

Frequently Asked Questions

Secrets management is the practice of securely storing, accessing, and rotating sensitive credentials like API keys, database passwords, TLS certificates, and SSH keys. A secrets management tool provides a centralized vault with access controls, audit logging, and automated rotation to replace insecure practices like hardcoding credentials in code or sharing them via Slack.

If your team stores credentials in environment variables, config files, or shared documents. Yes. A dedicated tool provides encryption at rest and in transit, fine-grained access control, audit trails for compliance, and automated rotation. The question is whether you need a full platform like Vault or a simpler solution like your cloud provider's built-in service.

Password managers (1Password, Bitwarden) focus on human credentials. Employee login passwords, shared account credentials, and secure notes. Secrets management tools focus on machine credentials. API keys, database connection strings, TLS certificates, and service account tokens used by applications and infrastructure. Some tools like 1Password Business now bridge both worlds.

Use your cloud provider's service (AWS Secrets Manager, Azure Key Vault, GCP Secret Manager) if you're committed to one cloud and want the simplest operations. Use a third-party tool if you need multi-cloud support, want to avoid vendor lock-in, or need features like a developer-friendly UI or advanced rotation policies.

Widely used open-source options include HashiCorp Vault, Infisical, SOPS, Sealed Secrets, SPIFFE and SPIRE, and the External Secrets Operator. They remove licence costs and give you full control, but you run and maintain the infrastructure yourself, so factor in operational effort and support.

It ranges widely. Open-source tools are free to use but cost engineering time to run. Cloud services are usage-based, for example AWS Secrets Manager from about $0.40 per secret per month. SaaS tools such as Doppler and Infisical start from a few dollars per user per month. Enterprise platforms like HashiCorp Vault Enterprise, CyberArk Conjur and Delinea Secret Server are quote-based. Always confirm current pricing with the vendor.

Secrets management secures machine and application credentials such as API keys, database passwords, tokens and certificates for automated systems and pipelines. Privileged access management controls and monitors human access to privileged accounts, servers and systems. The two overlap and are often deployed together as part of a wider identity security programme.