What is Secrets Management?

Secrets management software securely stores, rotates, and audits access to credentials, API keys, certificates, and other sensitive configuration values that applications need at runtime. It replaces hardcoded secrets with a centralized vault that enforces rotation policies and maintains audit trails.

When does building Secrets Management make sense?

Building (or using OSS/cloud-native tools) is strong for teams with straightforward KV needs. OpenBao, Infisical, and AWS Secrets Manager cover 60-70% of production secrets management requirements, and the migration from HashiCorp Vault post-BSL showed these alternatives work in real production environments.

When does buying Secrets Management make sense?

Buying earns its keep when your requirements include dynamic secrets, PKI management, multi-cloud policy enforcement, or Vault's namespace isolation model. If you're running Vault enterprise features actively — not just storing key-value pairs — the platform earns its cost. Otherwise, Infisical Pro at $8/user/month likely covers what you need.

What are the main Secrets Management vendors?

Representative vendors include HashiCorp Vault (HCP Dedicated), Infisical, OpenBao (open-source Vault fork), Doppler. B4 Pro scores the full set.

What changed with HashiCorp's BSL relicensing?

HashiCorp's 2023 BSL relicensing of Vault made the license terms unacceptable for some users and triggered a migration wave to OpenBao, the Linux Foundation fork maintained under the original Mozilla Public License. Teams that moved report running production secrets management without meaningful gaps, making the OSS alternative more battle-tested than it was before.

Security & Compliance · Engineering, IT & AI

Should you build or buy Secrets Management?

Secrets management software securely stores, rotates, and audits access to credentials, API keys, certificates, and other sensitive configuration values that applications and services need at runtime. It replaces hardcoded secrets in code and config files with a centralized, access-controlled vault that enforces rotation policies and generates complete audit trails.

The build-vs-buy decision for Secrets Management turns on how much of your requirements OSS and cloud-native options now cover versus the dynamic secrets, PKI management, and cross-cloud policy enforcement that justify enterprise platform spending; the specifics of your secrets complexity and team size decide it.

Domain: Security & Compliance
Function: Engineering, IT & AI
Industries: Cross-industry

Last assessed June 2026 · re-scored quarterly via The Continuum.

Build it, buy it, or bridge?

	Build it	Buy it	Bridge (buy, then extend)
Cost shape	OpenBao is free; AWS Secrets Manager $0.40/secret/mo; ops overhead is real	Vault HCP Dedicated $450-$1,152/cluster/mo; pricing scales with complexity	Start with cloud-native or Infisical; add Vault enterprise features if needed
Time to value	Cloud-native or Infisical OSS up in hours; Vault complex setup takes weeks	HCP Dedicated or Infisical Pro managed onboarding in days	Cloud-native for simple cases now; Vault for advanced cases when required
Differentiation captured	Full control over audit model and integration architecture	Vendor manages PKI, rotation, and enterprise policy model	Own the secrets policy; buy the complex rotation and PKI infrastructure
AI feasibility today	Multiple production OSS alternatives cover 60-70% of needs; cryptography correctness still favors established implementations	Vault enterprise namespace and policy model is genuinely complex to replicate	AI assists secret scanning and remediation tooling; doesn't change platform choice
Who it fits	Teams with simple KV needs or Kubernetes-native workflows on a single cloud	Enterprises needing dynamic secrets, PKI, multi-cloud, namespace policies	Teams starting simple who expect compliance or multi-cloud requirements to grow

The B4 call

B4 has a verdict for Secrets Management.

Build, Buy, Bridge, or Beware, with the five-dimension scorecard and the reasoning behind it. Unlock the call, and every other category, with B4 Pro.

Unlock the verdict in B4 Pro →

When building Secrets Management makes sense

The OSS path for secrets management is more credible than it's been at any point. HashiCorp's BSL relicensing triggered a real migration to OpenBao, the Linux Foundation fork, and teams that moved are running production secrets management without meaningful functional gaps. Infisical has matured quickly and its Pro tier at $8 per user per month covers most developer-facing secrets workflows. AWS Secrets Manager handles the straightforward key-value case for teams already on AWS without adding another platform to manage. The build case is strongest when your secrets management requirements stay in KV territory — store, retrieve, audit — and when your engineering team is already comfortable with one of these OSS or cloud-native options. Cryptographic correctness is one area where leaning on well-tested implementations beats rolling your own, but that's an argument for OpenBao or Infisical, not necessarily for a commercial vendor.

When buying Secrets Management makes sense

Buying still has a real argument at the enterprise end of the complexity spectrum. HashiCorp Vault's namespace and policy model, dynamic secrets generation (database credentials that expire after a session), and cross-cloud PKI management are genuinely complex capabilities that take significant engineering investment to replicate. The teams running Vault well — where dynamic secrets are live in production, where PKI is managed through Vault, where namespace isolation separates different business units — are getting real value from features that OSS alternatives don't fully replicate yet. The buying question has sharpened: it's no longer whether to buy secrets management at all, it's whether your requirements actually require what the enterprise tier provides. Infisical Pro and Doppler serve the middle market well; Vault HCP Dedicated earns its cost when the advanced features are genuinely in use.

HashiCorp's BSL relicensing triggered a genuine migration wave to OpenBao, the Linux Foundation fork, and teams that moved are running production secrets management on it without meaningful gaps. Infisical has also matured quickly. The practical effect is that the OSS alternatives now cover 60-70% of what most organizations need, and cloud-native options like AWS Secrets Manager handle the simple key-value cases that made up the bulk of many Vault deployments.

Buying still has a real argument for dynamic secrets, PKI management, and cross-cloud policy enforcement at enterprise scale. Vault's namespace and policy model is genuinely complex, and organizations running it well are getting real value from the enterprise features. The question is whether your secrets management requirements actually push into that territory, or whether Infisical Pro at $8 per user per month or AWS Secrets Manager at $0.40 per secret per month covers your actual use cases.

Representative vendors

HashiCorp Vault (HCP Dedicated)Infisical and 3 more, scored in B4 Pro

B4 Pro

Get B4's actual call on Secrets Management

→ B4's call for Secrets Management: Build, Buy, Bridge, or Beware
→ The five-dimension scorecard and the scoring rationale
→ All 5 vendors with pricing and positioning
→ Quarterly re-scores that feed the MCP live, so your agents always query the current call
→ MCP server plus API and SDK access, and CSV/JSON export

Upgrade to B4 Pro

Prefer to read first? The book covers the framework end to end.

Frequently asked

What is Secrets Management?: Secrets management software securely stores, rotates, and audits access to credentials, API keys, certificates, and other sensitive configuration values that applications need at runtime. It replaces hardcoded secrets with a centralized vault that enforces rotation policies and maintains audit trails.
When does building Secrets Management make sense?: Building (or using OSS/cloud-native tools) is strong for teams with straightforward KV needs. OpenBao, Infisical, and AWS Secrets Manager cover 60-70% of production secrets management requirements, and the migration from HashiCorp Vault post-BSL showed these alternatives work in real production environments.
When does buying Secrets Management make sense?: Buying earns its keep when your requirements include dynamic secrets, PKI management, multi-cloud policy enforcement, or Vault's namespace isolation model. If you're running Vault enterprise features actively — not just storing key-value pairs — the platform earns its cost. Otherwise, Infisical Pro at $8/user/month likely covers what you need.
What are the main Secrets Management vendors?: Representative vendors include HashiCorp Vault (HCP Dedicated), Infisical, OpenBao (open-source Vault fork), Doppler. B4 Pro scores the full set.
What changed with HashiCorp's BSL relicensing?: HashiCorp's 2023 BSL relicensing of Vault made the license terms unacceptable for some users and triggered a migration wave to OpenBao, the Linux Foundation fork maintained under the original Mozilla Public License. Teams that moved report running production secrets management without meaningful gaps, making the OSS alternative more battle-tested than it was before.

The B4 Index scores every software category on two axes, strategic differentiation and AI feasibility, to classify it Build, Buy, Bridge, or Beware. See the full methodology.

More in Security & Compliance

Build or buy Identity & Access Management (IAM)? Build or buy Privileged Access Management (PAM)? Build or buy Single Sign-On (SSO)? Build or buy Multi-Factor Authentication (MFA)? Build or buy Data Loss Prevention (DLP)? Build or buy SIEM? Build or buy Endpoint Detection & Response (EDR)? Build or buy Extended Detection & Response (XDR)? Build or buy Next-Gen Firewall (NGFW)? Build or buy Web Application Firewall (WAF)? Build or buy Cloud Access Security Broker (CASB)? Build or buy GRC?

The Build Report

Bi-weekly analysis of software categories through the B4 Framework. What to build, what to buy, and how to use AI to make better decisions for your company.