This gist summarizes modern secrets-management options that are open, popular, and well‑maintained, with a bias toward agentic workflows (non‑interactive auth, short‑lived credentials, CLI/SDK‑first, auditability).
- Non‑interactive auth (service accounts, OIDC) for CI/agents
- Short‑lived / dynamic secrets (rotation + revocation)
- CLI/SDK‑first so secrets can be injected on demand
- Auditability (who accessed what, when)
- Easy local dev without leaking
.envfiles
As of 2026-02-05:
| Project | Created | Contributors | Stars |
|---|---|---|---|
| Infisical/infisical | 2022-08-05 | 236 | 24,746 |
| openbao/openbao | 2023-11-09 | 1,527 | 5,339 |
| hashicorp/vault | 2015-02-25 | 1,612 | 34,969 |
| getsops/sops | 2015-08-13 | 197 | 20,695 |
| dotenvx/dotenvx | 2023-11-18 | 37 | 4,924 |
1) Infisical (open‑source, dev‑first)
- Open‑source secrets manager with strong CLI/SDK ergonomics.
- Good fit for teams that want modern DX + rapid setup.
- Offers policy controls and auditing; also includes secret scanning.
Why it’s a strong agentic fit: CLI‑first, easy local injection, well‑maintained.
2) OpenBao (open‑source, Vault‑style)
- Community‑governed, OpenSSF project; Vault‑style APIs and capabilities.
- Strong for dynamic secrets, leasing/renewal, and centralized policy.
Why it’s a strong agentic fit: short‑lived secrets and dynamic credentials are first‑class.
3) HashiCorp Vault (source‑available, industry standard)
- De‑facto standard for larger organizations.
- Rich ecosystem + dynamic secrets + policy enforcement.
Why it’s a strong agentic fit: very mature for automation, but licensing has shifted.
SOPS (open‑source)
- Encrypts config files (YAML/JSON/ENV/etc) for Git‑based workflows.
- Good when you want encrypted secrets in Git but don’t need a server.
dotenvx (open‑source)
- Encrypts
.envfiles for safe sharing/commit. - Great for local dev workflows; not a policy‑driven secrets platform.
- Use Service Accounts or Connect via 1Password Secrets Automation to avoid committing
.envfiles. - This is a safer automation path than local
.envfiles and keeps your current vendor.
If you want a modern, open, “agentic‑ready” path:
- Fastest OSS on‑ramp: Infisical
- Most enterprise‑grade OSS: OpenBao
- Keep it light: SOPS or dotenvx (but not a true secrets manager)
Pick one of:
- Infisical for a simple, modern developer experience.
- OpenBao for dynamic/short‑lived secrets and strong policy.
- SOPS/dotenvx for encrypted config‑in‑git (lighter weight).
- Stay on 1Password but move to Service Accounts/Connect via 1Password Secrets Automation immediately.
I can draft a migration plan once we pick a direction.
Can these be hosted on Cloudflare Containers?
Yes for server-based managers that ship as container images. Cloudflare Containers can run container images alongside Workers, so it can host tools like Infisical, OpenBao, or HashiCorp Vault if you want a Cloudflare‑native runtime. Lightweight tools like SOPS or dotenvx are CLIs and don’t need hosting.
Do these tools create/rotate keys for me?
Most secrets managers store, distribute, and audit secrets. Key creation/rotation usually happens externally (by an agent/CI calling the provider API), then the new secret is written to the manager. The main exception is dynamic secrets engines (for example, database credentials) in OpenBao/HashiCorp Vault which can mint short‑lived creds directly.
Do lightweight tools replace a secrets manager?
No. SOPS and dotenvx are great for encrypting files, but they don’t provide centralized policy, audit logs, or dynamic secrets. They’re complements or stepping stones, not full replacements.
How do agents authenticate to the secrets manager?
Common patterns are OIDC (CI identity tokens), service accounts, or short‑lived tokens minted by the manager. OIDC is preferred for agentic workflows because it avoids long‑lived credentials.
How do we separate dev/staging/prod safely?
Use separate projects/namespaces or distinct instances, plus strict RBAC and environment‑scoped policies. This prevents cross‑environment leakage and simplifies audit trails.
How are secrets injected into Cloudflare Workers or Containers?
Workers typically read secrets from environment bindings, and Containers can read secrets from the manager at startup or via sidecar/agent. Cloudflare’s own Secrets Store can also supply values to Workers.
Do we still need .env files locally?
You can keep local .env files for convenience, but they should be generated or injected from a manager and never committed. Tools like dotenvx or SOPS help encrypt local secrets if needed.
How do we rotate without breaking deployments?
Use a create → update → deploy → verify → revoke sequence and overlap validity windows where possible. Some providers allow multiple active keys to support safe rollouts.
What does least‑privilege access look like?
Grant secrets on a per‑service basis with minimal scope, and prefer dynamic or short‑lived credentials where supported.
Do we still need secret scanning?
Yes. A secrets manager reduces risk, but secret scanning catches accidental commits and prevents leaked credentials from living in git history.
Can we migrate from 1Password without downtime?
Yes—run a parallel period where both systems are valid, update deployments to read from the new manager, then revoke old secrets after verification.