SecretEnv supports 15 secret backends. Every backend page follows the same structure: header (type, CLI, URI, tested version) → Configuration → URI Format → Authentication → doctor Output → Examples → See Also.
Try any of these: copy the configuration block into
~/.config/secretenv/config.toml, then runsecretenv doctorto verify auth + reachability. No commitment.
| Backend | Type | Platform | Tested CLI version | Status | Docs |
|---|---|---|---|---|---|
| Local file | local |
all | (uses std::fs) |
Available | local.md |
| AWS SSM Parameter Store | aws-ssm |
all | aws-cli/2.34.35 | Available | aws-ssm.md |
| AWS Secrets Manager | aws-secrets |
all | aws-cli/2.34.35 | Available | aws-secrets.md |
| 1Password | 1password |
all | op 2.34.0 | Available | 1password.md |
| HashiCorp Vault | vault |
all | vault v2.0.0 | Available | vault.md |
| GCP Secret Manager | gcp |
all | Google Cloud SDK 560.0.0 | Available | gcp.md |
| Azure Key Vault | azure |
all | azure-cli 2.85.0 | Available | azure.md |
| macOS Keychain | keychain |
macOS only | macOS Darwin 25.4 | Available | keychain.md |
| Doppler | doppler |
all | doppler v3.76.0 | Available | doppler.md |
| Infisical | infisical |
all | infisical 0.43.79 | Available | infisical.md |
| Keeper | keeper |
all | Commander 17.2.13 | Available | keeper.md |
| Cloudflare Workers KV | cf-kv |
all | wrangler 4.85.0 | Available | cf-kv.md |
| OpenBao | openbao |
all | bao v2.5.3 | Available | openbao.md |
| CyberArk Conjur | conjur |
all | conjur v8.1.3 (Go) | Available | conjur.md |
| Bitwarden Secrets Manager | bitwarden-sm |
all | bws 2.0.0 | Available | bitwarden-sm.md |
| Delinea Secret Server | delinea |
all | tss |
Coming Soon | n/a |
All "tested CLI version" entries reflect the v0.19.0 release smoke. Minimum-supported versions are noted on each backend page.
- Already on AWS? aws-ssm is the lowest-overhead option. aws-secrets adds rotation orchestration.
- Cross-cloud or self-hosted secrets platform? vault (HashiCorp) or openbao (LF MPL fork).
- Identity-platform with policy engine? vault (Enterprise) or conjur (CyberArk).
- Team password manager you already use? 1password, bitwarden-sm, keeper.
- Developer-first secrets SaaS? doppler, infisical.
- Edge / serverless workloads? cf-kv.
- Local dev only? keychain (macOS) or local.
For deeper trade-off analysis: Tool Comparisons.
Every backend page follows the same shape:
- Header: type, CLI, URI scheme, platform, tested version
- Configuration:
[backends.<instance>]+ field table - URI Format: canonical example with labeled parts
- Authentication: credential mechanisms in precedence order
- doctor Output: success and failure states
- Limitations: what the backend can't do (set, history, fragments)
- Examples: real config snippets
- See Also: cross-links and related concepts
Backends are independent Rust crates implementing two traits. See reference/adding-a-backend.md for the trait interface and step-by-step walkthrough.
- Overview, overview + workflows
- Tool comparisons, SecretEnv vs
.env/ fnox / direnv / op-run / etc. - Threat model, 14-category honest security comparison
- CI/CD patterns, using SecretEnv in CI pipelines