Top 6 Open-Source Secrets Management Tools
The best open-source secrets management tools in 2026, from HashiCorp Vault and its OpenBao fork to Infisical, CyberArk Conjur, SOPS, and Bitwarden Secrets Manager, with licensing and deployment guidance.
- Open-source secrets management tools store, rotate, and audit credentials such as API keys, database passwords, and certificates without per-secret SaaS fees or vendor lock-in.
- The leading options in 2026 are HashiCorp Vault, OpenBao, Infisical, CyberArk Conjur, SOPS, and Bitwarden Secrets Manager.
- Watch the license: HashiCorp Vault and Boundary moved to the Business Source License in 2023, so teams that need a true open-source license increasingly evaluate OpenBao, the Linux Foundation MPL-2.0 fork of Vault.
Commercial secrets platforms increasingly price per secret or per sync, and those costs climb fast once every service, pipeline, and workload needs credentials. Open-source secrets management offers an alternative: full control over where credentials live, no per-secret licensing, the ability to audit the code that guards your most sensitive data, and freedom from SaaS lock-in. For teams with the operational capacity to run them, open-source tools deliver enterprise-grade secret storage, rotation, and auditing at infrastructure cost.
The landscape shifted in 2023, when HashiCorp relicensed Vault under the Business Source License. Vault Community Edition is still free and dominant, but the change prompted the Linux Foundation to launch OpenBao, a true open-source fork, and pushed many teams to re-examine their options. This guide evaluates the six open-source secrets management tools worth knowing in 2026, with an honest read on licensing, dynamic secrets, and operational burden.
For the concept itself, see our secrets management fundamentals, and for the full field including managed services, the best secrets management tools ranking. This is part of our open-source series alongside the top open-source IAM solutions.
Evaluation Criteria
We assessed each tool against the following dimensions:
- License, whether it is OSI-approved open source or source-available
- Dynamic secrets, on-demand, short-lived credentials for databases, clouds, and PKI
- Rotation, automated credential rotation and revocation
- Deployment, self-hosting complexity, Docker, Kubernetes, high availability
- Access control and audit, policy model, identity integration, audit logging
- Developer experience, CLI, SDKs, secret injection, integrations
- Community and maintenance, GitHub activity, release cadence, governance
- Commercial support, paid support or managed offerings for production teams
The Top 6 Open-Source Secrets Management Tools
1. HashiCorp Vault (Community Edition)
Best For: Platform teams that need dynamic secrets and one secrets control plane across clouds and datacenters.
Overview
HashiCorp Vault is the de facto standard for secrets at scale. It centralizes storage, encryption, and access control for static and dynamic secrets, and its dynamic secrets engines generate short-lived, automatically expiring credentials for databases, cloud providers, and PKI. Vault Community Edition remains free and open to self-host, though since August 2023 it ships under the Business Source License rather than MPL 2.0. It anchors most serious secrets programs, and its identity-based policy model integrates cleanly with Kubernetes, cloud IAM, and machine identity workflows.
Key Features
- Dynamic secrets engines for databases, AWS, Azure, GCP, and PKI
- Transit engine for encryption-as-a-service without storing data
- Identity-based policies with Kubernetes, cloud, and OIDC auth methods
- Lease-based, automatically revoked short-lived credentials
- Broad ecosystem: Vault Agent, CSI provider, Terraform, and SDKs
- Audit devices for tamper-evident logging
License Business Source License 1.1 (source-available) since August 2023. Community Edition is free to run; HCP Vault and Vault Enterprise are paid.
Pros
- Deepest dynamic-secrets support of any tool here
- Portable and consistent across any cloud or on-prem environment
- Huge community, documentation, and integration ecosystem
Cons
- Operationally demanding to run at high availability
- No longer under an OSI-approved license
- Enterprise features (namespaces, HSM, replication) are paid
2. OpenBao
Best For: Teams that want Vault's model and API under a genuinely open-source license.
Overview
OpenBao is the Linux Foundation fork of Vault, created in response to the 2023 relicensing and released under the Mozilla Public License 2.0. It preserves Vault's HTTP API, storage backends, and core secrets engines, so most Vault Community Edition deployments can migrate with limited changes. OpenBao is governed as a community project with a technical steering committee, which appeals to organizations that need license certainty, vendor neutrality, or public-sector procurement compliance. As a younger project it moves fast, and its roadmap increasingly diverges from Vault with community-driven features.
Key Features
- MPL-2.0, an OSI-approved open-source license
- API-compatible with HashiCorp Vault for straightforward migration
- Dynamic secrets, transit encryption, and PKI engines inherited from Vault
- Linux Foundation governance with open, community roadmap
- Kubernetes-native deployment patterns
License Mozilla Public License 2.0 (true open source).
Pros
- Non-restrictive license with neutral governance
- Familiar to anyone who knows Vault
- Rapidly growing contributor base
Cons
- Smaller ecosystem and fewer managed-hosting options than Vault
- Some Vault Enterprise features have no open equivalent
- Younger project; validate long-term support expectations
3. Infisical
Best For: Developer teams wanting a self-hostable, open-source platform for application secrets.
Overview
Infisical is an open-source-first secrets platform with a self-hostable core and a polished developer experience. It focuses on syncing application secrets across environments, injecting them into local development, CI, and production, and scanning code and Git history for leaked credentials. Infisical is a strong fit for teams that want data residency and cost control without running Vault's operational machinery, and its managed cloud exists for teams that would rather not self-host. It is younger than Vault, so validate enterprise requirements like advanced dynamic secrets before standardizing.
Key Features
- Self-hostable open-source core with a clean web dashboard
- Environment-based secret organization and syncing
- Secret scanning for code and Git history
- CLI, Kubernetes operator, and broad SDK coverage
- Point-in-time recovery and secret versioning
- Growing dynamic-secrets and rotation support
License MIT for the core, with some enterprise features under a commercial license.
Pros
- Excellent developer experience and fast setup
- Self-host or managed, with a genuine open-source core
- Built-in secret scanning is a useful extra
Cons
- Dynamic secrets are lighter than Vault or OpenBao
- Younger ecosystem and smaller community
- Some advanced features gated behind the paid tier
4. CyberArk Conjur (Open Source)
Best For: Teams standardizing machine and application secrets, especially alongside a CyberArk program.
Overview
CyberArk Conjur brings machine and application secrets under policy-driven access control, with a declarative policy language and strong Kubernetes and CI/CD integrations. Conjur Open Source provides the core secrets engine and API for free, while Conjur Enterprise adds high availability, support, and tighter integration with CyberArk's privileged access management. It is most compelling when human and non-human credentials should live in one audited control plane, and when an organization has already invested in CyberArk.
Key Features
- Declarative, version-controlled policy-as-code for access
- Kubernetes authenticator and secretless broker patterns
- Strong CI/CD and DevOps tool integrations
- Role-based access with detailed audit trails
- Path to CyberArk Enterprise governance
License Conjur Open Source under LGPL; Conjur Enterprise is commercial.
Pros
- Policy-as-code model suits GitOps and infrastructure teams
- Clear upgrade path into enterprise CyberArk governance
- Solid Kubernetes and pipeline integrations
Cons
- Full value assumes broader CyberArk investment
- Smaller community than Vault or OpenBao
- Open-source edition lacks enterprise HA and support
5. SOPS (getsops)
Best For: GitOps teams that want to encrypt secrets directly in their repositories.
Overview
SOPS, now maintained by the CNCF-adjacent getsops community after originating at Mozilla, takes a different approach from a running server. It encrypts individual values inside YAML, JSON, ENV, and INI files using a KMS such as AWS KMS, GCP KMS, Azure Key Vault, age, or PGP, so encrypted secrets can live safely in Git. There is no service to operate; decryption happens at deploy time with the right key. SOPS pairs naturally with Kubernetes, Terraform, and tools like Flux and Argo CD, and is often used alongside a full secrets manager rather than instead of one.
Key Features
- Encrypts values in place inside structured config files
- Backends for AWS KMS, GCP KMS, Azure Key Vault, age, and PGP
- No server to run; keys held by your KMS or age identities
- Native fit for GitOps with Flux and Argo CD
- Simple audit story: encrypted files versioned in Git
License Mozilla Public License 2.0 (true open source).
Pros
- Zero infrastructure to operate or scale
- Perfect fit for GitOps and infrastructure-as-code
- Encryption keys stay in your existing KMS
Cons
- No dynamic secrets, rotation, or leasing
- Key management and access control pushed to your KMS
- Not a full secrets platform on its own
6. Bitwarden Secrets Manager
Best For: Teams already using Bitwarden that want machine secrets alongside their password vault.
Overview
Bitwarden Secrets Manager extends the open-source Bitwarden platform from human password management into machine and application secrets. It provides secret storage, projects for organizing access, machine accounts for service authentication, and a CLI and SDKs for injecting secrets into CI/CD and workloads. Because Bitwarden's clients and much of its server are open-source and self-hostable, it appeals to organizations that want one open-source vendor across human and machine credentials, though the dedicated Secrets Manager product is younger than the core password manager.
Key Features
- Machine accounts and access tokens for service authentication
- Projects and granular access control for secret organization
- CLI and SDKs for CI/CD and workload injection
- Self-hostable alongside the Bitwarden password manager
- End-to-end encryption consistent with the Bitwarden model
License Open-source clients and server components (GPL/AGPL), with paid Secrets Manager seats.
Pros
- One open-source platform for human and machine secrets
- Familiar to teams already running Bitwarden
- Self-hostable with end-to-end encryption
Cons
- Newer and less proven than Vault for machine secrets
- No dynamic secrets or database credential generation
- Seat-based pricing for the managed Secrets Manager tiers
How to Choose
For a central secrets control plane with dynamic, short-lived credentials, start with HashiCorp Vault, or OpenBao if you need a genuinely open-source license and neutral governance. For a developer-friendly, self-hostable platform for application secrets, Infisical is the easiest to adopt. Choose CyberArk Conjur when secrets should sit inside a broader privileged-access program, SOPS when you want encrypted secrets committed to Git for GitOps, and Bitwarden Secrets Manager when you already run Bitwarden and want machine secrets in the same place.
Whichever you pick, the recurring lesson is operational: a secrets manager you cannot run securely and keep patched is worse than the managed service you were trying to avoid. If your team lacks the capacity to operate one, a managed option from the full secrets ranking may be the more honest choice. For comparisons of specific pairs, such as HashiCorp Vault vs AWS Secrets Manager, see our comparisons.
Frequently asked questions
- What are the best open-source secrets management tools in 2026?
- The top open-source secrets management tools in 2026 are HashiCorp Vault, OpenBao, Infisical, CyberArk Conjur, SOPS, and Bitwarden Secrets Manager. HashiCorp Vault remains the most capable and widely deployed, while OpenBao is the truly open-source (MPL-2.0) fork for teams that need a non-restrictive license.
- Is HashiCorp Vault still open source?
- HashiCorp changed Vault's license from Mozilla Public License 2.0 to the Business Source License (BSL 1.1) in August 2023. Vault Community Edition is still free to use and its source is public, but the BSL restricts offering Vault as a competing hosted service. Teams that require an OSI-approved open-source license often adopt OpenBao, the MPL-2.0 fork maintained under the Linux Foundation.
- What is OpenBao?
- OpenBao is a fork of HashiCorp Vault created after the 2023 license change, maintained under the Linux Foundation and released under the Mozilla Public License 2.0. It preserves Vault's API and core secrets engines while keeping a true open-source license, making migration from Vault Community Edition straightforward for most deployments.
- How do you choose an open-source secrets manager?
- Match the tool to your model: HashiCorp Vault or OpenBao for dynamic secrets and a central control plane across clouds, Infisical for a developer-friendly self-hostable platform, CyberArk Conjur for machine secrets inside a CyberArk program, SOPS for encrypting secrets in Git for GitOps, and Bitwarden Secrets Manager for teams already using Bitwarden. The deciding factor is whether your team can operate it securely over time.