Why Infisical over Vault, Doppler, and SOPS

· Tech

Part of the series on secure local development. This post covers why I picked Infisical and why the choice matters less than you think.

The alternatives

The secrets management landscape in 2026 includes HashiCorp Vault, OpenBao, Doppler, AWS Secrets Manager, SOPS, Phase, and Bitwarden Secrets Manager. Each has trade-offs.

HashiCorp Vault is the most proven option (nearly a decade of production use at thousands of companies), but it’s massively overengineered for individual developers or small teams. Running a highly available Vault cluster requires managing Raft consensus, storage backends, unsealing procedures, and complex HCL policies. Many organizations dedicate entire engineering headcount just to keep Vault running. It’s also now under the Business Source License.

OpenBao is the open-source fork of Vault under the Linux Foundation, keeping the MPL 2.0 license. It reached version 2.5.0 in February 2026, but it’s a younger ecosystem with the same operational complexity as Vault.

Doppler offers excellent DX but is closed-source and cloud-only with no self-hosting option.

SOPS + age is great for encrypting secrets in git repos, but provides no project/environment hierarchy, no approval UI, no CLI injection, and no expiration tracking.

Infisical hits the right balance: project → environment → secrets hierarchy, CLI injection via infisical run, a modern web dashboard, self-hosting via Docker Compose or managed cloud, MIT license for the core, end-to-end encryption (AES-256-GCM, client-side before transmission), and active development backed by real funding and Fortune 500 adoption.

Managing Infisical itself as infrastructure

The Terraform/OpenTofu provider also supports managing Infisical itself as code. You can bootstrap an entire project structure:

resource "infisical_project" "my-project" {
  name = "my-project"
  slug = "my-project"
}


resource "infisical_project_environment" "staging" {
  name       = "staging"
  project_id = infisical_project.my-project.id
  slug       = "staging"
}

For CI/CD pipelines, Infisical supports OIDC authentication, so no static tokens are needed. The runner requests a short-lived token using its workload identity, uses it during the pipeline, and the token expires automatically.

For teams needing SOC2 or HIPAA compliance: Infisical’s paid tiers include extended audit log retention (90 days on Pro, unlimited on Enterprise), SAML SSO, and SCIM provisioning.

The uncomfortable truth: compromised machines

Here’s the thing that applies equally to 1Password, Infisical, and every other secrets manager: if your machine is compromised, no local tool can fully protect you.

Why 1Password’s biometric prompt doesn’t save you

The biometric prompt gives a sense of security, but against actual malware running with your user’s permissions:

1Password’s own security team acknowledges this: there’s not a lot any application can do to completely eliminate the risk of a compromised device.

Why Infisical’s session model has the same core issue

Infisical’s token-based session is cached in your system keyring. A compromised machine can read the keyring, impersonate the CLI, and silently access every secret the token has permissions for. No biometric prompt stands in the way, but as shown above, the biometric prompt wouldn’t meaningfully help either.

What actually matters

The real defense isn’t per-request approval. It’s limiting the blast radius:

Related posts