PickYourTechPickYourTech home

Open-source alternatives to HashiCorp Vault

Compare community-driven replacements for HashiCorp Vault in secrets management workflows. We curate active, self-hostable options with transparent licensing so you can evaluate the right fit quickly.

HashiCorp Vault logo

HashiCorp Vault

HashiCorp Vault is a secrets management tool that securely stores and tightly controls access to tokens, passwords, certificates, API keys, and encryption keys. It provides a central vault with a secure API for applications to fetch secrets on demand and supports dynamic secrets (like short-lived database credentials) and automatic key rotation. Vault enforces fine-grained access policies (integrating with identity systems) and logs all secret access. By abstracting secret distribution and encryption tasks into a central service, Vault helps prevent credential leakage and simplifies the management of sensitive data across environments.Read more
Secrets Management
Visit Alternative Website

Key stats

  • 6Alternatives
  • 3Support self-hosting

    Run on infrastructure you control

  • 6Active development

    Recent commits in the last 6 months

  • 3Permissive licenses

    MIT, Apache, and similar licenses

Counts reflect projects currently indexed as alternatives to HashiCorp Vault.

All open-source alternatives

Cyberark Conjur logo

Cyberark Conjur

Role-based secrets management for modern cloud infrastructure

Active developmentFast to deployIntegration-friendlyRuby

Why teams choose it

  • Machine Authorization Markup Language (MAML) for declarative, role-based access policies
  • REST API for identity lifecycle management, secret storage, and authorization
  • AES-256-GCM encryption with audited Slosilo cryptography library

Watch for

Requires PostgreSQL database management and backup strategy

Migration highlight

CI/CD Pipeline Secret Injection

Securely deliver database credentials and API keys to build agents without hardcoding secrets in repositories or environment variables

SOPS logo

SOPS

Encrypted file editor supporting multiple formats and key providers

Self-host friendlyActive developmentPermissive licenseGo

Why teams choose it

  • Encrypts values while preserving file structure for version control compatibility
  • Supports AWS KMS, GCP KMS, Azure Key Vault, age, and PGP simultaneously
  • Transparent editing workflow with automatic encryption/decryption

Watch for

Requires external key management infrastructure setup

Migration highlight

Kubernetes Secret Management

Encrypt Kubernetes manifests with sensitive data, commit to Git, and decrypt during deployment pipelines while maintaining full audit history.

Infisical logo

Infisical

Open-source platform for secrets, PKI, and SSH management

Self-host friendlyActive developmentPrivacy-firstTypeScript

Why teams choose it

  • Native integrations with GitHub, AWS, Vercel, Terraform, Ansible, and 50+ platforms
  • Internal PKI with CA hierarchies, X.509 certificate issuance, and lifecycle management
  • Dynamic secrets and automatic rotation for PostgreSQL, MySQL, AWS IAM, and more

Watch for

Enterprise features in the `ee` directory require a commercial license

Migration highlight

Multi-cloud secret synchronization

Centrally manage secrets and automatically sync to AWS, Vercel, GitHub Actions, and other platforms, eliminating manual updates and reducing configuration drift across environments.

OpenBao logo

OpenBao

Securely store, encrypt, and manage dynamic secrets at scale

Active developmentPermissive licenseFast to deployGo

Why teams choose it

  • Encrypted secret storage with support for multiple backends
  • Dynamic secret generation with automatic lease revocation
  • Standalone data encryption/decryption without persisting secrets

Watch for

Development requires Go toolchain and familiarity with Make

Migration highlight

Dynamic AWS credentials for CI pipelines

Short‑lived keys are issued on demand and automatically revoked, minimizing exposure from compromised pipelines.

Phase logo

Phase

Secure, versioned secret management from development to production

Self-host friendlyActive developmentPrivacy-firstTypeScript

Why teams choose it

  • Unified dashboard for secret lifecycle management
  • CLI for importing .env files and runtime injection
  • Automatic sync to CI/CD platforms and cloud providers

Watch for

Enterprise‑only features require a commercial license

Migration highlight

CI/CD pipeline secret injection

Secrets are automatically synced to GitHub Actions, Vercel, and other pipelines, removing manual handling and reducing risk.

Teller logo

Teller

Universal CLI secret manager for seamless developer workflows

Active developmentPermissive licenseFast to deployRust

Why teams choose it

  • Supports multiple secret backends (Vault, AWS, GCP, dotenv, etc.)
  • Runs processes with on‑the‑fly secret injection
  • Built‑in secret scanning and redaction for CI/CD

Watch for

Requires manual configuration of `.teller.yml`

Migration highlight

Run a local application with Vault secrets

The app starts with environment variables populated directly from HashiCorp Vault, avoiding any credential files on disk.

Choosing a secrets management alternative

Teams replacing HashiCorp Vault in secrets management workflows typically weigh self-hosting needs, integration coverage, and licensing obligations.

  • 3 projects let you self-host and keep customer data on infrastructure you control.
  • 6 options are actively maintained with recent commits.

Tip: shortlist one hosted and one self-hosted option so stakeholders can compare trade-offs before migrating away from HashiCorp Vault.