HashiCorp Says Your Secrets Manager Needs 12 Things. Here's How We Stack Up. 🎹

HashiCorp recently published a whitepaper called "12 Things a Modern Secrets Management Solution Must Do." It's a solid framework — genuinely useful for evaluating any secrets tool. So we ran Clef through it. Honestly. We're not going to pretend we check every box the same way Vault does. We're a git-native secrets manager built on SOPS — no servers, no tokens, no vendor custody. Different architecture, different tradeoffs. Here's where we're strong, where we're different, and where we'll tell you to use something else. The Scorecard 📋 1. Secure Secrets Storage 🔒 Vault: Centralized encrypted KV store. Secrets encrypted before hitting persistent storage. Dashboard + CLI. Clef: Encrypted files in git. SOPS encrypts values using age or cloud KMS. Decrypted values exist only in memory — plaintext never touches disk. The repo is the store. ✅ Verdict: Both nail this. Different storage model, same outcome — secrets encrypted at rest, protected from raw storage access. 2. Centralized Managemen