SOPS

SOPS is the secrets tool for teams who think HashiCorp Vault is overkill — and they're usually right. It encrypts YAML, JSON, and ENV files so you can commit secrets directly to Git. No server, no cluster, no unsealing ceremony. Just encrypted files that go through the same PR review as your code.

If you're doing GitOps with Flux or ArgoCD, SOPS is the standard. It plugs into AWS KMS, GCP KMS, Azure Key Vault, or age for encryption — pick your backend and go. Vault is the enterprise alternative with dynamic secrets and rotation, but it's a full infrastructure commitment. Infisical is the modern managed option. Sealed Secrets handles Kubernetes specifically.

The catch: SOPS is file encryption, not secrets management. No dynamic secrets, no rotation, no access controls, no audit logs. Your app can't fetch secrets at runtime like it can from Vault. And once your team grows past a handful of services, the "encrypted files in Git" model starts showing cracks.