Self-Hosted Secrets Management Vaults
Open-source alternatives to HashiCorp Vault for securely storing and managing sensitive credentials and configuration data.
Self-Hosted Secrets Management Vaults
Find the best repos with AI.We'll search the best matching repositories with AI.
- hashicorp/vault
hashicorp/vault
35,796View on GitHubVault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads. What distinguish
Vault is the industry-standard platform for centralized secrets management, offering robust support for dynamic secret generation, granular role-based access control, audit logging, and comprehensive encryption features.
GoDynamic Secret EnginesSecret Storage EnginesDynamic Credential Providers - openbao/openbao
openbao/openbao
6,433View on GitHubOpenBao is a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys.
OpenBao is a comprehensive secrets management platform that provides dynamic secret generation, robust role-based access control, audit logging, and encryption at rest, making it a direct fit for your requirements.
GoDynamic Secret EnginesDynamic Secret ManagementSecret Storage - infisical/infisical
Infisical/infisical
27,374View on GitHubInfisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports
Infisical is a comprehensive, self-hostable secrets management platform that provides dynamic secret generation, robust role-based access control, audit logging, and certificate management, meeting all the core requirements for secure credential orchestration.
TypeScriptDynamic Secret ManagementDynamic Credential ProvisioningSecret Lifecycle Operations - bitwarden/server
bitwarden/server
18,074View on GitHubThis project provides a comprehensive, self-hosted platform for zero-knowledge credential management and enterprise secrets orchestration. It functions as a secure vault that ensures all encryption and decryption processes occur exclusively on the client side, preventing the server from ever accessing plaintext data. By combining identity federation with robust access controls, the system enables organizations to centralize the management of passwords, passkeys, and sensitive infrastructure credentials. The platform distinguishes itself through its focus on both human-centric security and aut
This platform provides a robust, self-hostable vault for managing credentials and secrets with strong encryption, audit logging, and API-driven access, though it is primarily designed for human-centric password management rather than the dynamic secret generation engines found in infrastructure-focused secrets managers.
C#Audit LoggingSecret Storage - bitwarden/clients
bitwarden/clients
13,114View on GitHubThis project is a comprehensive zero-knowledge security suite designed for enterprise credential management, secrets orchestration, and password management. It provides a secure, end-to-end encrypted vault that allows users to store, synchronize, and manage sensitive information, including passwords, passkeys, and infrastructure secrets, across desktop, mobile, and browser environments. The platform distinguishes itself through a strict zero-knowledge architecture where all encryption and decryption occur locally on the client, ensuring that plaintext data remains inaccessible to the server.
This repository provides the client-side infrastructure for a robust, self-hostable secrets management platform that supports encryption at rest, audit logging, and programmatic secret injection, though it focuses more on end-user credential management than on dynamic infrastructure secret generation.
TypeScriptRole-Based Access Control
