7
10 Comments

Would you trust a Bootstrapped SaaS to manage your product secrets? (credentials)

Hi, I am thinking of developing a SaaS product for secrets automation. But before I commit to this product I would like to understand if I have potential users who can trust an IndieHacker to manage their secrets.

What are your thoughts? And how can I convince you to trust my product?

  1. 3

    I am currently using Mozilla sops, plus a GPG key stored on several Yubikeys, to encrypt/decrypt secrets. sops is a standalone binary I use locally.

    I would be wary of using any remote service for something as critical as production DB credentials, API keys etc. Even if you can prove you're handling everything E2E encrypted, I would not want my service be dependent on your service's uptime. SLAs don't help either, – I don't care for money-back if stuff breaks. I want stuff to not break.

    sops – https://github.com/mozilla/sops

    1. 1

      I currently use sops at my company. It is very secure, but it's not been the best tool for teams to manage credentials. That's what I am thinking of targeting.

  2. 3

    I think it is all about trust. Show your visitors how you are keeping their secrets a secret, even for you. Who is on the team, do you have your processes and infrastructure audited, etc. Write blog posts showing your expertise.

    In the end, that is also how 1Password and other password managers have started. 1Password now probably has trust because it is well known, but in the end they are "just" a SAAS as well.

    PS. I am a long-time 1Password for teams customer and am thinking about their secrets product to centralize secret management.

    1. 2

      It's true, companies that are already trusted, like Hashicorp, 1Password, etc. They all started somewhere I guess. Thanks for your reply.

  3. 2

    Personally, no. For things like that, you’d have a hard time beating native solutions from cloud providers (AWS offers tight permissions per resource) and other companies that have widespread use. Until you hit critical mass, I just wouldn’t consider it an option. Even if you are well-intentioned, encryption is hard to get right.

    For me, seeing a very polished site and other companies I have heard of using your product would be the most convincing.

  4. 2

    Vault by Hashicorp is already open source. So I can imagine a bootstrapped version or some similar.

  5. 2

    I don’t think you need to broadcast on your homepage - or even anywhere on your site - that you are an indie hacker / bootstrapper.

    Just make a good product, have a well designed professional looking site and go for it.

  6. 2

    Not really, no. But maybe I can imagine a project like this for teams.

    Strong encryption and 3rd-party audits would be a must, most likely.

  7. 2

    If you have some proof to show us on how you're protecting those secrets then I have no reason to say no.

  8. 2

    Personally, no, if I don't know the team behind the project, but if you offer a good solution on-promise, I would consider it.

Trending on Indie Hackers
29 days left before 2022 🔥 What do you want to finish & accomplish before the end of the year? 23 comments Rejected from YC 20 comments People found our landing page confusing. 9 comments Bootstrapping a SaaS that uses AI to explain code in plain English 8 comments What's the hardest thing about building a profitable SAAS? 6 comments Can you roast my website, please 🙏 3 comments