Phase vs AWS Secrets Manager

AWS Secrets Manager provides powerful application secrets management tools, but is difficult to work with, lacks integrations to third party services you may be using and locks you into a single cloud provider. Phase is an open-source, end-to-end encrypted and self-hostable platform that integrates with third-party services like CI tools and hosting providers, and works with your entire team through all stages of software development.

Phase Console


Phase is for you if:
  • 🧭 Usability: You desire a security solution that's laser focused on developer experience with straightforward documentation.
  • 🔌 Integrations: You want a single source of truth of all your secrets that integrates with other services you may be using like GitHub, Vercel, Cloudflare etc. including AWS Secrets Manager.
  • 🚀 Velocity: Time to production really matters to you. You don't want to get bogged down by unneeded complexity of AWS services.
  • 👨‍💻 Shift left: You want security tools in the hands of developers that cover the entire application development lifecycle. 💻-> 🔨-> 📦-> ⚙️ -> ☁️.
  • 🙌 Open source: You prefer an open source, self-hostable platform that you are not locked in to.
Phase Console logs screen

AWS Secrets Manager
AWS Secrets manager is for you if:
  • 🏗️ Ecosystem: You prefer to work with a single cloud provider.
  • 👷 AWS Ops You have significant AWS expertise and want to manage secrets on behalf of developers after an application is deployed.
  • 🔌 Integrations: You care about native integration to other AWS products and services eg. Cloudformation, RDS, Lambda etc.

Feature comparison

Open source
No, AWS Secrets Manager and other related services are closed source and proprietary.
Hosting options
Cloud - Get started
Self hosted - Docs
Cloud - Only on AWS
Self hosted / Multi cloud - Not available
Zero-knowledge Architecture
Yes. Secrets (keys, values) and secret related data such as comments and secret versions are end-to-end encrypted with keys that are generated client side on your machines. Private keys are split into two shards to avoid a single point of compromise.
No. AWS Secrets Manager sends transmits secrets in plain text over TLS and encrypts them server side with keys that under AWS's control.
Encrypted Secret Storage
Phase uses TLS to secure data in transit as well as XChaCha-Poly1305 with keys you own to secure sensitive data at rest.
Keys are encrypted in transit with TLS and at rest with server side AES-256 encryption.
Generate secure keys / secrets
Yes. The following secrets generation types are supported: Alphanumeric, Hex, Base64, Base64 URL safe, key128, key256.
AWS Secrets Manager supports generating a random password via the AWS CLI.
Self custody of keys
Yes. Phase is designed to enable self custody of keys. Only you have access to the root keys via a 24 world mnemonic phrase recovery.
No. While AWS Secrets Manager support BYOK (Bring your own keys), the custody of your encryption keys is outsourced to the AWS KMS service.
Secret access and audit logs
Yes, set up automatically out of the box, no configuration required and included for free as part of all pricing tiers.
Yes, but requires configuration with CloudTrail and CloudWatch which are billed separately.
Automated Secret rotation
Planned feature - will be live early Q1 2024.
Yes, but only rotations of static secrets is possible. Requires a user to set up their own lambda function.
Filtering access to secrets via IP addresses
Planned feature - will be live early Q1 2024.
Yes, it is possible to filter access to a certain secret in aws secrets manager via a source IP adddress or range by using a custom IAM user policy.
Developer experience
Simple and straight forward documentation, with guides and quickstarts for multiple languages and frameworks.
Complex documentation with significant prior knowledge required of both security concepts as well as the AWS ecosystem.
Multi environment setup
Yes. Phase automatically creates environments like development, staging and production for each of your applications out of the box.
While multiple environments can be created for your application on the AWS Secrets Manager, it requires manual setup.
Secret deployment
Yes. Phase automatically deploys your encrypted secrets to the closest region to where your app is running to ensure low latency. No need to manually set up multiple regions.
AWS Secrets Manager requires configuring key types, regions, which can be complex due to the intricacies of AWS services and systems.
Simple and predictable pricing model. Phase offers a generous free tier that will along with Pro and Enterprise tiers. Pricing is primarily based on number of users.
Cost estimation can be complex as it depends on a number of variables such as number of secrets, number of requests made, multi region replication, type of key used from AWS KMS, CloudWatch logging costs.
One click secret restoration
You can view the state of a secret since inception and restore to a previous value.
While viewing the previous state of a secret is possible in AWS Secrets Manager, restoring to previous versions requires you to retrieve the previous value of a secret via the VersionId and update it manually.
Secret diffs
Yes, you can compare a previous state of a secret in a git-styled diff by viewing secret history.
Point-in-time Recovery
Planned feature - will be live early Q1 2024.
Integrations - Frameworks
Yes, Phase cli can inject secrets into your application at runtime without any code changes or additional dependencies.
Integrations - Secret sync
Yes, Phase can sync secrets to third party platforms and services like GitHub, Cloudflare, Vercel and AWS Secrets Manager itself.
Partial. Phase currently has native SDKs for JavaScript, Node.js and Python.
Yes. AWS currently has larger support for other languages such as .NET, Java and C.


The fastest and easiest way to get started with Phase. Spin up an app in minutes. Hosted in Frankfurt 🇩🇪


Run Phase on your own infrastructure and maintain full control. Perfect for customers with strict compliance requirements.