I’ve been running a self-hosted Vaultwarden for almost 4 years for personal use and I’m quite happy with it: it supports granular access management, item scoping, has a web UI, is fully compatible with the official Bitwarden mobile apps (Android & iOS) and even the Terraform provider.

For personal use this is totally sufficient but when it comes to syncing, lifecycle management, versioning and automation at scale, there are fewer truly all-in-one solutions.

Meet Infisical - an open-source secrets manager that secures and syncs app configs and credentials across teams with end-to-end encryption. It helps eliminate hardcoded secrets, enforce fine-grained access control, deliver secrets across infrastructure and adopt secure workflows like rotation and dynamic secrets.

This platform can handle almost any task related to secrets:

🔰 Synchronization with external providers: AWS & GCP Secrets Manager, Azure & OCI Key Vault, 1Password, HashiCorp Vault, Cloudflare Workers, Azure DevOps, GitHub, GitLab, Bitbucket, TeamCity, Vercel, Heroku and many others
🔰 Rotation of credentials: AWS IAM user keys, LDAP passwords, PostgreSQL, MySQL, MSSQL, MongoDB, Oracle, Redis, etc.
🔰 Dynamic secrets: on-demand, short-lived tokens for most databases, Azure Entra ID, AWS & GCP IAM, Kubernetes, TOTP and more
🔰 Built-in PKI: create and manage Certificate Authorities (CAs) and issue X.509 certificates
🔰 Tooling & integrations: Ansible, Terraform, Packer, AWS Lambda, Azure Power Apps, External Secrets Operator — plus its own Kubernetes Operator
🔰 Approval workflows: policy-based access control for environments and secret groups
🔰 Point-in-time recovery: roll back secrets to any previous state
🔰 Runtime injection with graceful reloads
🔰 SDKs for Node.js, Python, Java, .NET, C++, Rust, Go, PHP and Ruby
🔰 CLI: fetch/push/lease secrets, scan code for leaks and even provide secure access to private resources via a modern TCP-based SSH tunneling architecture

The only notable downside for me: event-based secret update fetching (instead of polling) is available only under the Enterprise license or on Infisical Cloud.

Last but not least, Infisical Agent Sentinel provides a centralized control plane for managing which tools/MCPs AI systems can access - a very timely addition.

This is one of those tools that quietly replaces five others in your stack.

2026-01-17 10:45:00 +0400 +0400 - Radagast the Brown