30 open-source projects similar to mozilla/sops, ranked by how many features they have in common. Compare stars, activity and what each one does to find the best Sops alternative.
Blackbox is a GPG secret management tool and asymmetric encryption wrapper used to securely store and share sensitive files within version control systems like Git, Mercurial, or Subversion. It functions as a version control secret store that encrypts files for safe storage at rest while allowing authorized users and machines to decrypt them. The system distinguishes itself by integrating directly with version control to provide plaintext diff and log visualization of encrypted files. It supports multi-recipient encryption and automated secret decryption via passphrase-less GPG subkeys, enabl
Sealed Secrets is a Kubernetes secret encryption tool and controller designed for GitOps security. It provides a mechanism to encrypt sensitive data into specialized resources that can be safely stored in public version control systems and decrypted only within a cluster. The system uses an asymmetric encryption manager to seal secrets with a public key, ensuring that only the corresponding private key held within the cluster can unseal them. It includes utilities for security key rotation, secret re-encryption, and offline private key recovery to maintain data access during disaster recovery
git-crypt is a transparent cryptography layer and secret manager for Git repositories. It encrypts specific files so they remain as ciphertext on remote servers while appearing as plaintext in local directories. The tool uses Git attributes to define the scope of files and directories targeted for encryption. It supports both symmetric secret key encryption for shared access and asymmetric public key encryption to control decryption permissions among multiple collaborators. The system automates the encryption and decryption process through hook-based filters that trigger during commit and ch
Infisical is a centralized secrets management platform designed to store, synchronize, and control access to sensitive credentials and configuration data across distributed development, staging, and production environments. It employs client-side encryption to ensure that secrets remain unreadable to the underlying storage infrastructure, while providing a hierarchical permission model to govern both user and machine access. The platform distinguishes itself through dynamic credential provisioning, which generates short-lived access tokens that are automatically revoked after use. It supports
gopass is a terminal-based password manager and GPG secret store used for generating, storing, and retrieving encrypted credentials. It functions as a collaborative secret manager that encrypts data using GPG or age and synchronizes it across devices and teams using Git. The system distinguishes itself by treating version control repositories as the primary storage backend, enabling secure secret sharing and version history for credentials. It utilizes a hierarchical directory structure to organize secrets on the filesystem and supports multi-store mounting to combine multiple independent rep
Boundary is an identity-aware access proxy and privileged access management tool. It brokers secure network connections to infrastructure targets by mapping verified user identities to granular permissions, providing a gateway to servers and databases without the need for static credentials or VPNs. The system distinguishes itself through just-in-time connectivity and automated credential injection, delivering short-lived secrets to users during session initialization. It implements a composable security model using allow-only role-based access control and hierarchical resource scoping to iso
Vault is a centralized secrets management platform designed to secure, store, and control access to sensitive credentials such as API keys, passwords, certificates, and encryption keys. At its core, the system employs a barrier-based cryptographic sealing mechanism that requires an unseal process to decrypt internal storage, ensuring that sensitive data remains protected. It provides identity-based access control to manage granular permissions across distributed infrastructure, effectively centralizing security policies and authentication for both human and machine workloads. What distinguish
Git-secrets is a security utility designed to prevent the accidental exposure of sensitive credentials by integrating automated scanning directly into the version control commit lifecycle. It functions as a commit scanner that evaluates staged files and commit messages against defined security policies before changes are finalized in a repository. The tool utilizes regular expression pattern matching to identify potential secrets and supports the registration of custom patterns to address specific organizational security requirements. To manage operational friction, it includes mechanisms for
fhevm is a full-stack blockchain framework designed to integrate Fully Homomorphic Encryption into smart contracts. It provides a platform for developing confidential smart contracts that can process encrypted data and execute private on-chain computations without decrypting the underlying information. The framework utilizes a coprocessor system to offload resource-intensive encrypted operations to an asynchronous service, improving blockchain performance and scalability. It incorporates a secure key management service based on multi-party computation and a zero-knowledge proof verifier to en
This tool is a command-line utility designed to manage sensitive data by encrypting specific values within structured files such as YAML or JSON. By protecting only the sensitive portions of a file while leaving the structure intact, it ensures that configuration files remain readable for version control systems and automated workflows. The utility provides a secure development workflow by transparently decrypting files into memory for editing and automatically re-encrypting them upon saving, which prevents plaintext secrets from being written to the local disk. It supports a variety of encry
GAM is a command-line tool for administering Google Workspace and Cloud Identity. It translates command-line arguments into structured API calls, enabling administrators to manage users, groups, organizational units, and domain settings across a Google Workspace environment. The tool handles authentication through OAuth2 flows, service accounts, and workload identity federation, and supports multi-tenant configurations for managing multiple domains or cloud projects from a single installation. GAM distinguishes itself through its batch processing and automation capabilities. It can process la
Flux is a Kubernetes GitOps delivery tool used to automate application deployments by synchronizing cluster state with configurations stored in Git, OCI, or Helm repositories. It functions as a set of controllers that monitor desired state in external sources and continuously reconcile the live cluster to match those definitions. The system distinguishes itself through a multi-cluster management plane that coordinates application delivery across fleets of remote clusters from a central hub. It provides a dedicated mechanism for automated image updates, which scans container registries for new
Boto3 is the AWS SDK for Python, providing a programmatic interface for managing and automating AWS cloud infrastructure and services. It serves as a cloud management API client and resource manager for provisioning, configuring, and scaling virtual servers, databases, and storage. The library enables the implementation of infrastructure-as-code through declarative templates and scripts, allowing for the deployment of identical resource stacks across multiple accounts and geographic regions. It also provides a framework for coordinating distributed workflows, serverless functions, and contain
git-secret is a command line tool and Bash encryption utility used to manage sensitive configuration files and passwords within Git repositories. It enables version controlled secret storage by encrypting files with GPG public keys, ensuring that sensitive data can be committed to a repository without exposing plaintext. The tool utilizes a PGP encryption workflow to control access through a managed keyring of authorized public keys. This allows for the granting and revocation of decryption permissions for specific users. To prevent accidental data leaks, it automatically integrates with Git
Gitleaks is a static analysis security tool and secret detection engine designed to find hardcoded passwords, API keys, and authentication tokens. It functions as a Git secret scanner that analyzes both local file systems and Git commit history to prevent credential leaks. The tool distinguishes itself through a decoding pipeline that transforms base64 and hex strings into plaintext to find obfuscated secrets. It further reduces false positives using proximity-based validation and fingerprint-based suppression to filter out known or baseline findings. The system covers a broad range of detec
A little utility for managing credentials in the cloud
chezmoi is a command-line utility designed to manage and synchronize system configuration files across multiple machines. It uses a local Git repository as the single source of truth, allowing users to track, version, and distribute dotfiles while maintaining a consistent state across diverse operating systems and hardware architectures. The project distinguishes itself through a declarative reconciliation model that computes the difference between the current filesystem and the desired state defined in the repository. It features a robust templating engine that processes configuration files
Talos is a minimal, immutable Linux distribution designed specifically for deploying and managing Kubernetes clusters. It functions as an API-driven infrastructure manager that replaces traditional shell access with a declarative gRPC interface to control operating system state and configuration. The system is distinguished by its use of a read-only root filesystem and a security-hardened kernel, which removes standard GNU utilities to reduce the attack surface. It ensures environment consistency by distributing the operating system as versioned, signed images and utilizes TPM-backed verified
Implementation of a bulletproof node.js API 🛡️
External Secrets Operator reads information from a third-party service like AWS Secrets Manager and automatically injects the values as Kubernetes Secrets.
Shaka Player is a JavaScript library for streaming adaptive bitrate video and audio using open web standards in browsers. It functions as a media player that handles Dynamic Adaptive Streaming over HTTP and HTTP Live Streaming manifests and segments. The project includes a playback engine that integrates with Encrypted Media Extensions to authorize and unlock protected media streams. It further provides capabilities for downloading adaptive media and metadata to local storage for offline playback and rendering 360 and 180-degree video using specialized projections for virtual reality. The li
Dotenv is a configuration management library designed to load environment variables from local files into the process environment. By separating application settings from source code, it enables developers to maintain consistent configurations across different deployment stages and team environments. The utility provides mechanisms to transform plain text configuration files into encrypted formats, allowing sensitive secrets to be stored securely within version control systems. It handles the parsing and normalization of key-value pairs, ensuring that configuration data is consistently proces
Signal-Android is an end-to-end encrypted messaging platform designed to ensure that only the sender and recipient can access communication content. The project provides a comprehensive framework for secure, asynchronous message initiation and key agreement, allowing users to establish private channels without requiring simultaneous online presence. It relies on a state machine architecture to manage communication epochs and authentication, ensuring consistent security transitions throughout the messaging lifecycle. The platform distinguishes itself through a hybrid cryptographic approach tha
Prefect is a workflow orchestration platform designed to define, schedule, and monitor complex data pipelines as Python code. It functions as a container-native engine that wraps individual tasks in isolated environments, ensuring consistent dependencies and resource allocation across diverse infrastructure. By utilizing a state-machine-based orchestration model, the system tracks execution progress through discrete transitions and persistent event logs to maintain reliable and observable task processing. The platform distinguishes itself through a decoupled worker-API architecture, which sep
This project is a structured educational guide and curriculum for mastering infrastructure as code. It functions as a cloud provisioning guide and DevOps training material, providing a set of lessons and practical exercises for deploying and managing cloud resources through declarative configuration. The curriculum covers the development of reusable modules, the orchestration of multiple environments using workspaces, and the management of remote state files with locking mechanisms. It also includes instruction on cloud secret management to secure sensitive data. The material spans core infr
xboot is a full-stack rapid development platform that combines a Spring Boot backend with a Vue.js frontend. It serves as a comprehensive scaffold for building decoupled client-server architectures, featuring an admin dashboard framework and an identity provider for enterprise applications. The project distinguishes itself through a low-code approach to CRUD development, using a code generator to produce backend Java entities and frontend Vue components. It also includes a business process automation tool with a visual model designer and a BPMN workflow engine to orchestrate multi-step approv
Sidekick is a command-line tool that provisions bare VPS servers, transfers Docker images, manages secrets, and orchestrates zero-downtime deployments across single or multiple server instances. It handles the full deployment pipeline from a local machine, building container images locally and transferring them directly to the server without requiring a remote container registry. The tool distinguishes itself through an integrated approach to security and automation. It encrypts environment variables locally using SOPS and Age keys, then decrypts them on the server at deploy time for runtime
Up is a deployment tool that transforms any HTTP server into an AWS Lambda function behind API Gateway with a single command, eliminating server management entirely. It provides a unified platform for building and deploying serverless APIs that scale automatically and charge only for actual usage, while supporting Node.js, Go, Python, Java, Crystal, and Clojure runtimes without per-language configuration. The tool automates the generation and management of all required AWS resources—including Lambda, API Gateway, CloudFront, and S3—from a declarative configuration, and can replicate the entir
Flipt is a Git-native feature management platform and enterprise feature toggle server. It uses Git repositories as the primary source of truth for feature flag configurations, implementing a GitOps workflow where application functionality is controlled through version control. The system distinguishes itself by utilizing pull requests and code reviews for configuration changes and providing a vendor-neutral evaluation protocol to ensure consistent behavior across different management tools. It supports air-gapped operations with offline license validation for secure, internet-isolated enviro