Would you trust a Bootstrapped SaaS to manage your product secrets? (credentials)

I am currently using Mozilla sops, plus a GPG key stored on several Yubikeys, to encrypt/decrypt secrets. sops is a standalone binary I use locally.

I would be wary of using any remote service for something as critical as production DB credentials, API keys etc. Even if you can prove you're handling everything E2E encrypted, I would not want my service be dependent on your service's uptime. SLAs don't help either, – I don't care for money-back if stuff breaks. I want stuff to not break.

sops – https://github.com/mozilla/sops

I think it is all about trust. Show your visitors how you are keeping their secrets a secret, even for you. Who is on the team, do you have your processes and infrastructure audited, etc. Write blog posts showing your expertise.

In the end, that is also how 1Password and other password managers have started. 1Password now probably has trust because it is well known, but in the end they are "just" a SAAS as well.

PS. I am a long-time 1Password for teams customer and am thinking about their secrets product to centralize secret management.

Personally, no. For things like that, you’d have a hard time beating native solutions from cloud providers (AWS offers tight permissions per resource) and other companies that have widespread use. Until you hit critical mass, I just wouldn’t consider it an option. Even if you are well-intentioned, encryption is hard to get right.

For me, seeing a very polished site and other companies I have heard of using your product would be the most convincing.

Vault by Hashicorp is already open source. So I can imagine a bootstrapped version or some similar.

Not really, no. But maybe I can imagine a project like this for teams.

Strong encryption and 3rd-party audits would be a must, most likely.

If you have some proof to show us on how you're protecting those secrets then I have no reason to say no.