2 main points:

- Infisical is by default end-to-end encrypted which means that we are not able to read you secrets (unless you give us explicit permissions for integrations that require it). This is not the case for many other products in the market, like Doppler.

- "Open source" is actually a big differentiator in this case, because people and companies can self-host Infisical on their own infrastructure. I can't really imagine JP Morgan storing their secrets on someone else's cloud. Many companies we talk to have very strict compliance restrictions, and this is where Infisical come in

Open source is a distribution strategy. Dont forget cyberark, thycotic et al in the enterprise space. They have super strong sales motion in the JP Morgans of the world.

Open source is a lot to unpack haha — There's a ton there but yea I think giving the ability for people to self-host the solution is a really important in our mission to increase access to secret management tools to all developers.

Infisical is already pretty easy to self-host but we want it to be even easier — Likely by introducing a 1-click deploy to Heroku/Digital Ocean for folks that need that.

And yea ack with the enterprise space solutions you mentioned. We've a long way to go as a secret manager but I have hopes that one day we'll get to a world-class product that's as good and better!

If being open source is such a big differentiator, why do you not reference it on your pricing page at all? https://infisical.com/pricing

I really wish companies would stop using open source as a growth hack.

It is actually mentioned on the pricing page! (in one of the FAQ questions)

I wouldn’t exactly consider a mention in passing on a “What is Infisical” to be exactly headlining the fact that it’s open source.

There is actually a question about self-hosted Infisical too. But I agree with you - we will do a better job for mentioning open source - we think this is VERY important, so this is definitely not our intention to hide it

How does getting permission make you “able” to read secrets? It seems like maybe you can read everyone’s secrets but you’re promising not to.

This has to do with how our underlying cryptography works; it's end-to-end encrypted by default with opt-out ability for integrations that need it. You'd have to manually login to Infisical and grant that permission but the platform itself would be unable to read your secrets otherwise.

Technical details: In Infisical, secrets are stored in vaults (we call them projects). They are encrypted symmetrically by vault keys for which there are multiple copies of vault keys encrypted under the public key of each vault member (your teammates). Vault members decrypt their copy of the vault key locally and use that to decrypt secrets (in browser or via CLI similar to platforms like 1Password and Bitwarden); this client-side decryption process makes it impossible for the platform itself to decrypt the secrets itself.

What is meant by users having the ability to give permission to Infisical to access/read secrets is to share a copy of the vault key by encrypting it under one of the public keys of Infisical — we employ an abstract concept of "bots" that have public-private key pairs assigned to each vault. When you share a copy of the vault key with Infisical (which can't happen without your explicit action), it grants Infisical the ability to access your secrets for integrations like Vercel, Render, GitHub, etc.

Very well explained, thank you.

Presumably the permissions switch is in the client rather than the server. It's true that you have to trust the client, but that's unavoidable.

Yeah that's correct.

The permissions switch can only be on the client because that's where sharing the vault key with Infisical by encrypting it under one of its public keys occurs.