[danenania]

Speaking for EnvKey (mentioned above—I’m the founder), we use client-side end-to-end encryption to address this concern. Secrets cannot be accessed on an EnvKey server.

I’m biased, but I share your skepticism of secrets management services that don’t use end-to-end encryption. It’s not a wise choice for either the service provider or its users.

[zaphirplane]

Can you shed some light here

If I need access to a decryption key to read my secrets or to provide my secret to a process I still have to manage my decryption key which means I might as well use that process to manage my secret

[danenania]

A short list of additional benefits:

- Secrets are automatically kept in sync across multiple processes and servers.

- Easily and securely give other developers access (to what they need, and no more).

- You can automatically reload a process when secrets update.

- All updates and accesses are logged.

- End-to-end encrypted version control.

- You can limit access to specific IPs or IP ranges.

- You can edit multiple environments side by side (development, staging, production, etc.)

- You can use de-duplicate across environments and apps using inheritance or stackable ‘blocks’ of config.