I saw your post a few months ago and already thought it was awesome. Congrats on quitting your job to devote yourself to this project. I would assume that you have considered joining YC?

I'm the founder of the OSS project windmill [1] that, among others, separates the code logic from the management of secrets. We are in the same boat of being a small team doing too many features and hence have covered very lightly the secret management. I would love to see if we could write some integrations between our projects so that scripts and workflows could leverage advanced secret management.


Slight typo in x2519-xsalsa20-poly1305 should be x25519-xsalsa20-poly1305 (PR submitted).

You mention password-based encryption of user private keys, do you have more information on how it's done? I can think of a famous "secret manager" that got this very wrong recently.

Also, when you have the time, consider adding a security.txt [1] to your main website so security researchers know how to report vulnerabilities.


With such a huge load of new features in such a short lapse of time, I wonder about the quality of the code.

I quickly glanced at the GitHub repository and basically couldn't find any test for example.

It'd be fine for any other startup, but this is something hosting seriously sensitive data and I feel like the focus is not right.

Any considerations about security you can share?

Cool idea, and would love to take it for a spin!

Feedback: the MongoDB dependency is annoying, from an enterprise (self-hosting) perspective. Due to their licencing, you can't have a managed service provider host it for you (unless that provider is Mongo itself). I have not looked into what data you store, but I can't imagine it's that schema-less at this point, so perhaps it could be possible to store in an SQL database instead? Or in PostgreSQL via its JSON support?

Congrats on the launch.

For anyone looking for an open source community project without business aspirations in a much simpler and easier to audit format, have a look at SecureStore. It's encrypted and versioned secrets stored alongside your code in your git repo. Cross-language, cross-platform, with native libraries for different languages/frameworks. Useable by teams big and small, up until the point you want a standalone, full-fledged secrets management server and are fine with adding that heavy network dependency to all your services.

From my experience (running Kubernetes at home), the biggest problem is that secrets managers are used to bootstrap clusters. Having to run three deployments (backend, frontend, mongodb) is a lot for a component that is supposed to bootstrap the cluster. Especially the MongoDB component is annoying, as it needs an username and password. That is why Vault from Hashicorp is so good, it supports many backends and provides distributed integrated storage (Raft), which is perfect for bootstrapping.
How does this compare with secret managers like HashiCorp vault, Azure Key Vault, AWS Secrets manager, etc.? Are some of those needed to use this? Or can those be replaced with Infisical?
Hello sso tax on "let's talk" level
In this context, what does the noun (secrets manager) and adjective (secret versioning) mean? Asking for purposes of learning. If this is laid out on a particular "for dummies" page, linkage would be appreciated ('secrets' being such a common word otherwise).

I asked ChatGPT, but this appeared to be one of its "there-is-no-horsehead-in-Godfather" moments.

No sso for the self hosted version?
Is this similar to