The .env file works until it doesn’t. You hit five engineers and the Slack DMs of “hey can you send me the staging Stripe key” start. You hit fifteen and someone commits a production token to a public repo at 11pm. By the time you’re prepping for SOC 2 and an auditor asks “how do you rotate database credentials?”, you already know the answer is “we don’t.” That’s where secrets management enters the conversation, and right now in 2026 the three names you’ll hear most are HashiCorp Vault, Doppler, and Infisical.
I’ve shipped all three into production in different shops over the last few years. They are not interchangeable. They solve overlapping problems with very different design philosophies and very different bills at the end of the month. If you’re staring at a comparison page that lists “supports SSO” in a green checkbox for all three, you’re not getting the information you need to decide.
Why this decision actually matters
Secrets management isn’t just “where do we put the API keys.” The thing you’re really buying is some combination of: a single audit trail for every credential read, automatic rotation so a leaked key from six months ago has already been replaced, dynamic credentials that don’t exist until a workload requests them, and a permission model that scales past “everyone has the same Doppler login.”
The cost of getting this wrong shows up as compliance findings, on-call pages at 2am, and post-incident reviews that say “the credentials had been valid since 2023.” The cost of over-buying shows up as a platform team spending a quarter operating Vault when they should have been shipping product. Pick wrong in either direction and you’ll feel it.
HashiCorp Vault: the heavyweight after the IBM deal
Vault is the original. It’s been running in serious infrastructure since 2015, it has dynamic secrets engines for nearly every database and cloud you’d care about, it does PKI and certificate authority duties, transit encryption, identity-based auth via Kubernetes service accounts or OIDC, and it ships a real namespace model for multi-tenant deployments. When people say “industry standard” without thinking about it, this is what they mean.
Two things complicate the Vault story in 2026. First, the BSL re-license that landed in August 2023 — Vault is no longer Mozilla Public License open source. The Business Source License lets you self-host for “internal and personal use” and forbids you from running it as a competing service against HashiCorp’s paid offerings. If you’re a regular company using Vault internally, you’re fine. If you’re a consultancy building a managed Vault product, you have a problem. OpenBao, the LF-hosted MPL fork, exists because of this and it’s the escape hatch some teams use.
Second, IBM closed its $6.4 billion HashiCorp acquisition on February 27, 2025. Since then, HCP Vault Secrets — the lightweight SaaS-only offering — was sunsetted, the Starter tier of HCP Vault Dedicated was discontinued, and the official end-of-life for HCP Vault Secrets is July 1, 2026. The remaining managed option is HCP Vault Dedicated, which starts around $1,152/month for an Essentials small cluster plus roughly $72.92/month per authenticated identity. Vault Enterprise self-hosted pricing isn’t published; community reports describe quotes well into six figures for surprisingly small deployments.
If you self-host the community edition, the software is free but the operational cost is real. Vault wants a Raft cluster of 3 or 5 nodes, careful unseal-key management, audit log forwarding, an upgrade story, and someone who knows what to do when a node loses quorum at the wrong moment. I’ve seen teams of fewer than fifty engineers spend a half-time platform engineer on Vault alone. That’s not a knock on the software — it does a lot — it’s just the price of running it yourself.
When Vault makes sense: regulated workloads with real PKI needs, large organizations with dedicated platform teams, anywhere you actually need dynamic database credentials at high scale, and shops where the audit/compliance team has specifically asked for Vault by name.
Doppler: developer experience as the product
Doppler is what you get when somebody looks at Vault and says “this is too much.” It’s a SaaS-first platform built around the idea that the dev experience is the feature. The flagship interaction is doppler run -- npm start, which fetches your secrets, injects them as environment variables for one process, and never writes them to disk. The CLI handles environments (dev, staging, prod), config inheritance, and per-branch overrides without making you think about it.
The pricing as of April 2026 is straightforward: a free tier up to 3 users, the Team plan around $12/user/month annual or $14/user/month monthly (Vendr and reviewer sites cite up to $21/user/month for some configurations — pull the live number from doppler.com/pricing before you sign anything), and an Enterprise tier that’s quote-based and lands roughly $50 per developer per month for a 50-seat deal. The thing that I find most quietly important: Doppler doesn’t charge for service accounts and CI/CD identities. So your GitHub Actions runners, your Vercel deployments, and your service-to-service tokens don’t blow up the bill. That’s the opposite of HCP Vault, which meters per authenticated client.
What Doppler doesn’t do as well as Vault: dynamic secrets for arbitrary databases. They’ve shipped some dynamic-secret features, but if you want a fresh per-request Postgres credential that auto-revokes in 30 seconds, Vault is still the more complete answer. Doppler is also a hosted-only service for most of its functionality — there’s no real self-hosted option, and you’re trusting them with the encrypted blob of your production secrets. For 90% of teams that tradeoff is fine. For the 10% that have a “no third-party SaaS holds our prod credentials” policy, it’s a hard no.
When Doppler makes sense: Series A through Series C startups, small platform teams that don’t want to operate Vault, shops where the CI/CD service-account count is large, and anywhere the velocity hit from operational secrets-management overhead would actually matter.
Infisical: the open-source one that’s catching up fast
Infisical is the youngest of the three and the one I find most interesting in 2026. It’s MIT-licensed, the self-hosted community edition is free with unlimited users, and the deployment is genuinely simple — Postgres for storage, Redis for caching, Docker or a Helm chart and you’re up. The cloud version’s Pro tier starts around $9 per user per month, and there’s a free cloud tier that’s enough for small teams to evaluate without commitment.
What I like: end-to-end encryption on the client side, so the server never sees plaintext secrets even on the cloud-hosted version. The Kubernetes operator with the InfisicalSecret CRD is one of the cleanest I’ve used. The CLI does the same infisical run -- npm start ergonomics as Doppler. They’ve been shipping dynamic secrets engines for Postgres, MySQL, MongoDB, AWS, and a few others, and the rollout pace is faster than I expected when I first looked at them in 2024.
What’s still rough: the dynamic-secret coverage isn’t as deep as Vault’s, the audit log retention on lower tiers is shorter than enterprise auditors typically want, and the API still has occasional throttling on the free tier when you spike. The product is moving fast enough that some of these are probably already fixed by the time you read this — verify the current state on their docs.
When Infisical makes sense: open-source-first organizations, teams that want self-hosted without Vault’s operational weight, regulated environments where data residency rules out US SaaS, and budget-conscious shops where Doppler’s per-user math doesn’t pencil out.
A pricing reality check with actual numbers
Pricing comparisons in this space are slippery because every vendor structures their bill differently. Let me run three concrete scenarios.
Scenario A: 12-person engineering team, ~40 CI/CD service accounts, no compliance requirements yet. Doppler Team is roughly 12 × $14 = $168/month, with the service accounts free. Infisical Cloud Pro is similar at roughly 12 × $9 = $108/month. HCP Vault Dedicated Essentials is $1,152/month base plus 52 × $72.92 = $3,792 for clients, totaling around $5,000/month. Vault self-hosted community is technically free but expect 0.25-0.5 FTE of platform-engineer time, which at fully-loaded cost is $4-8K/month equivalent. The decision basically writes itself here.
Scenario B: 80 engineers, regulated SaaS, SOC 2 + HIPAA, real dynamic-database-credential needs. This is where it gets interesting. Doppler at 80 × $14 = $1,120/month is cheap, but you may run into limits on dynamic secrets and audit-log retention. Infisical Cloud at $9/user is even cheaper, and self-hosted Infisical at this scale is genuinely viable — call it 0.1 FTE plus a small Postgres. HCP Vault Dedicated for 80 engineers plus, say, 200 service accounts, is north of $20K/month. Vault self-hosted enterprise is in the same neighborhood once you account for licensing and a dedicated platform engineer.
Scenario C: 500-person enterprise, multi-region, dedicated platform team, audit committee with specific asks. Vault Enterprise is the conventional answer, and the conventional answer is also the right one here. The ops burden has someone to carry it, the integration depth is real, and “we run Vault” is a sentence that closes audit findings.
The honest takeaway: Vault’s pricing only stops looking absurd at the top of the curve, and even there it’s not cheap.
CI/CD and Kubernetes patterns
For CI/CD, all three integrate with GitHub Actions, GitLab CI, Jenkins, and ArgoCD via either a CLI step or a marketplace action. Doppler and Infisical both have idiomatic single-step actions that pull a config and expose it to subsequent steps. Vault typically uses the OIDC trust between your CI provider and Vault itself, which is more powerful (no static auth tokens) but has more moving parts to set up correctly.
In Kubernetes, you have three patterns to choose between regardless of provider. The External Secrets Operator is the cross-vendor option — it speaks Vault, Doppler, Infisical, AWS Secrets Manager, and a dozen others, and it materializes secrets as native Secret objects in your cluster. The CSI Secret Driver mounts secrets as files into pods without ever touching etcd, which is the more secure pattern and the one I’d default to for production. Each vendor also has a native CRD: VaultStaticSecret and VaultDynamicSecret from the Vault Secrets Operator, DopplerSecret from Doppler’s operator, and InfisicalSecret from Infisical’s. Pick one pattern and stick to it across your fleet — mixing them is how you end up with three different broken-secrets failure modes.
Migrating off .env or AWS Secrets Manager without breaking prod
The migration playbook that has worked for me, regardless of which tool you pick:
Inventory first. Run a grep -rE '(API_KEY|SECRET|TOKEN|PASSWORD)' . across every repo and CI config you have, plus an audit of AWS Secrets Manager and Parameter Store. You will find more than you expect. Categorize by criticality and rotation cost.
Move read-only consumers first. Application secrets that get loaded at boot — your Stripe key, your SMTP credentials — are the easy migration. Wire up the new secrets manager, deploy alongside the old .env, verify, then delete the env file.
Tackle CI/CD next. This is where the per-service-account pricing starts to matter. If you’re moving to Doppler or Infisical, you’ll just create service tokens. If you’re moving to Vault, you’ll set up the OIDC trust between GitHub Actions and Vault and never look back.
Save the rotation work for last. Once your secrets are centralized, you can finally rotate the credentials that have been static since 2022, and you can do it on a cadence that doesn’t require a Slack thread.
Plan on the migration taking longer than you estimate. The grep doesn’t catch everything.
So which one should you pick
If you have fewer than 30 engineers and no specific compliance trigger, start with Doppler or Infisical Cloud and don’t overthink it. The bill will be small and the dev experience will be good and you can always migrate later. Between those two, I lean toward Infisical if you care about open source or want self-host as an escape hatch, and Doppler if your CI/CD service-account count is high and you want zero operational burden.
If you have a real platform team, regulated workloads with PKI or dynamic-database-credential needs, and an audit committee that asked for Vault by name, run Vault. It’s a heavyweight tool and the operational cost is real, but it earns its keep at that scale.
If you’re somewhere in the middle — 50 to 200 engineers, growing into compliance, not yet ready to staff a platform team for Vault — Infisical self-hosted is the option I’d most encourage you to actually try this quarter. The price-to-capability curve has shifted in its favor faster than most people have noticed.
One thing worth doing before any decision: pull the current pricing pages from each vendor and run your own headcount through them. The numbers in this post are accurate as of April 2026, but every one of these vendors has updated their tiers in the last twelve months, and they will again.
Sources: