--- title: Pulumi ESC vs Doppler url: /docs/esc/vs/doppler/ --- Choosing the right [secrets management](/what-is/what-is-secrets-management/) tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with Doppler. ## What is Doppler? Doppler is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies. ## Pulumi ESC vs. Doppler: Similarities {#similarities} Like Doppler, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Doppler, secrets can be stored and accessed through a CLI, SDK, or Web editor interface. Secrets can also be pulled from other secrets and password managers. Granular access controls can be implemented across all secrets. ## Pulumi ESC vs. Doppler: Key Differences {#differences} There are a couple of fundamental differences between Doppler and Pulumi ESC. Doppler has basic per secret inheritance as opposed to fully composable and hierarchical environments of ESC. Second, ESC environments can be managed (create, update, delete) through infrastructure as code. Third, ESC takes a more secure limited privilege path to provisioning dynamic short-term credentials as compared to Doppler. Here's a detailed comparison of the two: Feature Pulumi ESC Doppler Architecture OSS License Yes, Apache License 2.0 No Document Store Yes No Key-value Store Yes Yes Open Ecosystem Yes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc. Yes, supports pulling and using secrets from a variety of stores Developer Experience Editing and Authoring Yes, supports both GUI and IDE editing, with a powerful Document Editor with autocomplete, docs hover, and error checking Limited, has GUI editor with multiple import formats CLI Yes, available via `esc` CLI and `pulumi` CLI Yes Client SDKs Yes Yes Declarative Provider Yes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code No Composability Yes, simple set up of hierarchical environments that inherit values from imported environments Limited, can create projects that have secret values that can be individually inherited by other projects Versioning Yes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbers Yes Immutable History & Point in Time Recovery Yes Yes Values Can Be of Type Secret and Plaintext Yes Yes Interpolate Values from Other Values Yes, new dynamic values can be constructed through string interpolation No Branching / Personal Configs Yes, environments can be forked for testing without rewriting entire environments and overriding specific values Yes, environments has a root and branches and each developer automatically get their own personal development config per project Compare Secrets across Environments No No In-built Functions Yes, support for functions like `toJSON, fromJSON, fromBase64, toString` allows data manipulation for any scenario Limited, only `toJSON` and `fromJSON` available Security and Compliance Audit Logs Yes Yes Encrypted Secrets Storage Yes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest Yes, TLS is used for encryption in transit and all secrets are encrypted with AES-GCM Access Controls Yes Yes Secure Dynamic Cloud Provider Credentials Yes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud Limited, OIDC not used to generate dynamic credentials. TTL based leases are used to generate dynamic secrets OIDC Trust Yes, trust relationships are established with third-party OIDC providers No Secure Environment Variables Yes, the `esc run` CLI command can be used to specify which secrets are available as environment variables No, all values are available as environment variables Plaintext Read Only Mode Yes, ESC offers a `read` mode that allows reading only plaintext values while not being able to decrypt secrets or access dynamic credentials No > This content is best viewed on the web. See: [Pulumi ESC vs Doppler](https://www.pulumi.com/docs/esc/vs/doppler/)