Secrets Management DevOps Tools and More
- Rick Pfahl
- Engineering and Development
- 18 Jul, 2025
These tools provide a means of securely storing secrets (encryption keys, passwords, all that good stuff that you want to make available to your production systems, but you must protect from exposure) I started my research with This Reddit Post
Simple Tools
💫 SOPS: Simple and flexible tool for managing secrets: getsops.io | SOPS: github: SOPS allows the encryption of secrets directly in the configuration files from which your applications load them. Using SOPS, secrets are decrypted at runtime.
👉 using SOPS is kind of a pain, but it doesn’t involve relying on any external webservices. It supports encrypting secrets using PGP (and that got me stuck on looking at all…. It works as follows.
👉 create a sops.yaml file in the root of your project, this file will at minimum need to specify the fingerprint for the pgp key you’ll use to encrypt secrets. It supports other methods… but why? I’m not interested.
creation_rules:
- path_regex: ./*
pgp: 'FA2A456F0B079A46CDE2E2275D2D'👉 move your .env file variables into a json file, converting the list of variables to a dictionary.
#env.json
{"SECRET1":"SECRET1VAL", "SECRET2":"SECRET2VAL", ... "SECRETN":"SECRETNVAL"}👉 run sops encrypt env.json > env.enc.json which will encrypt the individual values within the file. Take a look.
👉 run sops exec-env env.enc.json <your app launch command> any application launched with sops exec-env <encrypted secrets file> will have environment variables defined for each key in the json array… which is why we converted our .env variables to json keys. To use this, make sure your app doesn’t specifically need the .env file. I got some warnings that I think came from python dotenv, but it all seems to be working fine anyway.
🤢 pass the standard unix password manager bleh…
Components of Larger Software Packages
🪐 Portainer.io: Container management for Docker and Kubernetes with a built in system for managing secrets | How to create and manage Kubernetes Secrets in Portainer
Webservice Based Solutions
⛔ VaultPlusPlus: looks promising, but command is provided binary only and it doesn’t seem to work on my fedora kinoite system
🧐 AWS Secrets Manager$0.40 per secret/month, $0.05 per 10k API Calls so pretty reasonable… except my newest app has like a dozen secrets at least. There are free options below that will be much less expensive,but less full-featured.
🤦 1password.com: User Account is 2.99, but I think the $19.99 package is necessary to access the secrets management for web applications.
⚠️ Evervault: Free edition limited to 500 decrypts/mo which, depending on how your project is coded, could be plenty or not nearly enough
✅ 👌😎🧸 Infisical: Free edition is entirely usable
👉🤛 Using infisical:fairly simple cli usage,
👉 first install (rpm, apt, or npm),
👉 go to the directory for the project where you want to create an association with an infisical project, runinfisical init and choose the appropriate project
👉 now you can prefix any command with infisical run --env=<dev,staging,production> --path=/path/to/application <application start command>.
👉 Alternately, you can run infisical secrets --env=<dev,staging,production> and it will print out a table SECRET NAME | SECRET VALUE | SECRET TYPE.
✅ 🚀🔮🪐Doppler: Free edition is entirely usable: similar cli usage to Infisical.
🧿 first install (rpm, apt, or shell-script -for the shell-script option on fedoria ostree based installs, you must save install.sh and edit it setting USE_PACKAGE_MANAGER=0 then run it as root)
💫 run doppler login to get a token
☄️ go to the directory for the project where you want to create an association with a doppler project and run doppler setup and choose the appropriate project
🌌 now you can prefix any command with doppler run --command= for example, the simplest case, to verify the secrets are accessible, if you created a secret called TEST_SECRET run doppler run --command="echo \$TEST_SECRET" it should print the secret value to the screen demonstrating that it is now available as an environment variable.
⚠️🤦Hashicorp Vault: Was Free, now Requires Hasicorp Dedicated 💵$400+/month.
😐 Pulumi IaC ESC : Pulumi is an infratructure as Code Provider.
Summary
In experimenting with the reccomendations from the reddit post I found Doppler and Infisical to be the best webservice options… really the only useable ones.
Ubiq: Encryption for Everything
Not exactly a secrets manager, but an interesting service that I feel like mentioning anyway. Designed to be very easy to implement so that no sensitive data need be left unencrypted at rest.
UBIQ It might be possible to setup a workflow using ubiq for secrets management since it provides such generic access to encryption.
Post Quantum Cryptography
and that got me stuck on looking at all… the new encryption types that have appeared in the latest version of gnupg. unfortunately none are quantum safe, even though it sounds like the algorithms exist.
🔮 Post Quantum Cryptography PQC
👨💻 Shor’s Algoritm: theoretically capable of defeating all traditonal assymetric key encryption given sufficient quantum computing resources. (RSA, and all variations of the elliptic-curve) because of its potential to be able to factor large numbers. Not proven yet, but theoretical possibility is probable enough to warrant the development of new methods for genration asymmetric keypairs. So far the following have been proposed:
Post-quantum cryptography research is mostly focused on six different approaches:
🔐 Symmetric key quantum resistance
🕵🛡️ Hybrid encryption is often recommended, where data is encrypted with both a new Post Quantum Encryption Technology as well as an existing proven non Post Quantum encryption technology like ed25519. This way if the new algorithm turns out to be vulnerable to a non-quantum attack, then the data will be protected by the well tested, but not quantum safe algorithm. This is a good idea since there is a lot of risk with the new algorithms simply because they are that new.
