All posts
6 min read

dotenvy vs Doppler vs Infisical: Choosing a Secrets Manager

comparisonsdopplerinfisical

There are now enough secrets management tools that choosing one is its own task. This post compares three that represent distinct philosophies: Doppler (centralized SaaS vault), Infisical (self-hostable vault), and dotenvy (local-first direct-sync CLI). Each makes different tradeoffs around trust, complexity, and workflow.

Three philosophies

Doppler: The centralized vault

Doppler is a SaaS platform where your secrets live on Doppler's infrastructure. Your applications pull secrets from Doppler at runtime (or inject them into the environment). Doppler handles versioning, access control, rotation, and audit logs.

The model: Secrets are stored centrally on Doppler's servers. Applications authenticate with Doppler to retrieve them. Your team manages secrets through Doppler's web dashboard.

Infisical: The self-hosted vault

Infisical follows a similar vault model but lets you self-host the entire platform. You run the Infisical server on your own infrastructure, and your applications pull secrets from your own deployment. It also offers a cloud-hosted option.

The model: Same centralized vault pattern, but you control where the vault runs. Tradeoff: you own the uptime, backups, and security of the vault server.

dotenvy: The direct-sync CLI

dotenvy doesn't store secrets at all. Your secret values live in local .env files on your machine, and dotenvy pushes them directly to each platform's API (Vercel, Convex, Railway) when you run sync. There's no intermediary server, no vault, no runtime dependency.

The model: Local files are the source of truth. Syncing is a push operation, not a pull. dotenvy is a CLI tool, not a service.

Comparison

| | Doppler | Infisical | dotenvy | |---|---|---|---| | Architecture | SaaS vault | Self-hostable vault | Local CLI, no server | | Where secrets live | Doppler's servers | Your servers | Local .env files | | Runtime dependency | Yes (SDK/API pull) | Yes (SDK/API pull) | No | | Self-hostable | No | Yes | N/A (no server) | | Access control | Role-based, granular | Role-based, granular | File system permissions | | Audit log | Built-in | Built-in | Git history + local files | | Secret rotation | Automatic | Automatic | Manual (sync after rotate) | | Multi-platform sync | Via integrations | Via integrations | Direct API push | | Pricing | Free tier, paid per seat | Free community, paid enterprise | Free and open-source | | Setup complexity | Low (SaaS) | High (self-host) | Low (CLI install) |

Trust model differences

This is where the three tools diverge most sharply.

Doppler requires you to trust Doppler with your production secrets. They encrypt at rest, run SOC 2 infrastructure, and have a strong security track record. But your secrets do live on their servers, and a Doppler breach would expose them. For many teams, this tradeoff is acceptable -- Doppler's security team is likely better-resourced than yours.

Infisical lets you eliminate the third-party trust question by self-hosting, but now you're responsible for the security of the vault server itself. You need to manage TLS, database encryption, access control, backups, and uptime. If your self-hosted Infisical instance goes down, your deploys can't pull secrets.

dotenvy removes the trust question entirely by not storing secrets anywhere beyond your local machine and the platforms you already use. There's no vault to breach because there's no vault. The tradeoff: you don't get centralized access control, audit logs, or automatic rotation. You get simplicity and a smaller attack surface.

When each tool fits

Choose Doppler when

  • Your team needs granular access control (different developers see different secrets)
  • You need automatic secret rotation and audit compliance (SOC 2, HIPAA)
  • You want secrets injected at runtime across many environments
  • You're comfortable with a SaaS dependency for infrastructure-critical data
  • Your team is large enough that per-seat pricing makes sense

Choose Infisical when

  • You need the vault model but can't send secrets to a third party (regulatory, security policy)
  • You have the infrastructure team to operate a self-hosted service
  • You want the flexibility to move between self-hosted and cloud-hosted
  • You need the same granular features as Doppler but with full control over the server

Choose dotenvy when

  • You deploy across multiple platforms (Vercel, Convex, Railway) and need them in sync
  • You want the simplest possible setup -- install a CLI, create a config, sync
  • You don't want your secrets stored on any server you don't already use
  • Your team is small enough that file-based coordination works
  • You prefer push-based sync over runtime pull
  • You want a free tool with no account signup

A practical example

Here's the same workflow in each tool -- adding a new STRIPE_SECRET_KEY to a project deployed on Vercel and Convex.

With Doppler

  1. Log into the Doppler dashboard
  2. Navigate to your project and select the environment
  3. Add STRIPE_SECRET_KEY and paste the value
  4. Repeat for each environment (development, staging, production)
  5. Configure Vercel and Convex integrations to pull from Doppler
  6. Trigger a redeploy so the new value is picked up

With Infisical

  1. Log into your Infisical dashboard (self-hosted or cloud)
  2. Navigate to the project and environment
  3. Add the secret and paste the value
  4. Configure integrations or SDK injection for Vercel and Convex
  5. Trigger a redeploy

With dotenvy

dotenvy set STRIPE_SECRET_KEY=sk_test_xxx

That's it. The value is written to .env.test and pushed to Vercel (development + preview) and Convex, based on your dotenvy.yaml mapping. For production:

dotenvy set STRIPE_SECRET_KEY=sk_live_xxx --env live

The bottom line

Doppler and Infisical are excellent tools for teams that need centralized secrets management with access control, rotation, and audit trails. They solve a real organizational problem at scale.

dotenvy is for a different use case: developers who deploy to multiple platforms and want a fast, zero-infrastructure way to keep secrets in sync. It's a CLI tool, not a platform. It doesn't replace a vault -- it replaces the copy-paste workflow between dashboards.

Pick the tool that matches your actual trust requirements and team size. If you're a solo developer or small team shipping on Vercel and Convex, you probably don't need a vault. You need a sync command.

curl -fsSL https://dotenvy.dev/install.sh | sh