Skip to main content
Seven secrets tools, one job each. The boundary between AI-readable and human-only is structural, not policy.
This site is the single public source of truth for the secrets-management story. Each repo’s README.md keeps only the literal commands its workflow needs; the narrative lives here.

The four-tier model

Every secret lives in exactly one of four tiers, and the tier — not the tool — decides who can read it and how. This is the organizing frame for everything below; the tools comparison has the full matrix and the bootstrap, read-path, and DR flows.
TierRoleToolWho reads it
T1 — Repo-localEncrypted-at-rest config that travels with the codeSOPS + ageAI and machines, via a path-gated local age key
T2 — Runtime managerSelf-hosted source of truth for live machine credentials; the primary AI/machine interface and the global flow-lease authorityOpenBaoAI and machines, via AppRole / signed SSH cert — no human in the loop
T3 — Strict cloudCloud keys-to-the-kingdom; holds secret-zero that bootstraps T2DopplerMachines for a narrow set; AI only under explicit, per-use human approval
T4 — Never-AI humanBreak-glass and crown jewelsBitwardenHumans only, at a keyboard, with a second factor
The default automation path is T2: an always-on agent authenticates as itself and gets scoped, expiring credentials with zero interactive prompts. aws-vault and automated macOS Keychain reads are interactive-convenience paths whose machine side folds into T2.

The boundary that matters

AI-readable (CI + dev)Human-only
OpenBao (T2, primary), Doppler (T3, human-approved), automation keychain, AWS Vault session, SOPS in-repo, BWS via bridgeBitwarden vault (T4), elevate-access keychain

Which tool for which secret

ToolUse it forDeep dive
DopplerAI provider keys (AI_TOKEN, Copilot, HuggingFace, provider-specific fallbacks); GitHub Actions secrets distributed via secrets-sync; dryvist org-level Doppler integrationdoppler
macOS KeychainTiered GitHub PATs (RESTRICTED, PRIVATE, ADMIN); BWS access token; Claude Code OAuth credentialmacos-keychain
AWS VaultAWS credentials per OpenTofu root (one profile per root)aws-vault
Mozilla SOPSEncrypted OpenTofu / Ansible vars committed to git; initial-bootstrap passwords; internal topologysops
Bitwarden vaultSSH keys, recovery codes, age-key escrow, account passwords — AI tools never reach thisbitwarden
BWSProgrammatic AI tokens that cannot use the shared AI_TOKEN convention, fetched via the Python bridgebws
OpenBaoThe T2 runtime manager (live, 2-node): the primary AI/machine credential interface, SSH CA for automation, and the global flow-lease authorityopenbao

What this section covers

Tools comparison

The four-tier model in full — the tool matrix and the bootstrap, read-path, and DR flows.

Golden laws

The fifteen non-negotiables. Every other page is just an implementation of one of these.

How it fits together

Multi-diagram tour of every secret flow — CI, local dev, AI sessions.

secrets-sync architecture

How Tier 1 secrets reach 20+ GitHub repos through one workflow.

Local AI isolation

Why AI tools structurally cannot view protected token values.

Scrubbed values

Canonical placeholders for IPs, domains, usernames, and tokens in every committed file.
For dryvist-internal specifics (workspace names, account IDs, internal topology), see docs.dryvist.com.