--- title: Pulumi ESC vs Infisical url: /docs/esc/vs/infisical/ --- Choosing the right [secrets management](/what-is/what-is-secrets-management/) tool is important, and we want you to have as much information as possible to make the choice that best suits your needs. We’ve created this document to help you understand how Pulumi ESC compares with Infisical. ## What is Infisical? Infisical is a secrets management tool that provides a centralized platform for managing and controlling access to secrets. It supports dynamic secret generation, encryption as a service, and comprehensive access policies. ## Pulumi ESC vs. Infisical: Similarities {#similarities} Like Infisical, Pulumi ESC is a secrets manager for cloud applications and infrastructure. In both ESC and Infisical, secrets can be stored and accessed through a CLI, SDK, or Web editor interface. Granular access controls can be implemented across all secrets. ## Pulumi ESC vs. Infisical: Key Differences {#differences} There are a couple of fundamental differences between Infisical and Pulumi ESC. First, ESC and Infisical differ in that Infisical can only add and manage secrets stored in Infisical. ESC adopts an open ecosystem approach, allowing you to pull secrets stored in most secrets and password managers during runtime and use them anywhere. This allows teams to use the best secrets management solution according their purposes and needs. Second, Infisical lacks the composability and hierarchical nature of ESC, which increases getting started speed and duplication of secrets. Third, ESC takes a software engineering approach to versioning with ability to add tags and import specific collections of secrets and configuration via those tags, similar to Docker. Fourth, ESC takes a more secure limited privilege path to provisioning dynamic short-term credentials as compared to Infisical. Here's a detailed comparison of the two: Feature Pulumi ESC Infisical Architecture OSS License Yes, Apache License 2.0 Yes, MIT expat license Document Store Yes No Key-value Store Yes Yes Open Ecosystem Yes, supports pulling and using secrets from multiple sources including HashiCorp Vault, 1Password, AWS Secrets Manager, etc. No, can only store and manage secrets stored in Infisical Developer Experience Editing and Authoring Yes, supports both GUI and powerful Document Editor with autocomplete, docs hover, and error checking Limited, has GUI editor without YAML support CLI Yes, available as `esc` CLI or `pulumi` CLI Yes Client SDKs Yes Yes Declarative Provider Yes, support via the Pulumi Service Provider, which allows management (create, update, delete) of collections of secrets and configuration as a resource through infrastructure as code. No Composability Yes, simple set up of hierarchical environments that inherit values from imported environments No, can only reference singular secrets from other environments and references have to be duplicated in multiple environments Versioning Yes, entire environments can be versioned and tagged and imported based on the specific version tags or revision numbers Limited Immutable History & Point in Time Recovery Yes Yes Values Can Be of Type Secret and Plaintext Yes No, values can only be secrets Interpolate Values from Other Values Yes, new dynamic values can be constructed through string interpolation No Branching / Personal Configs Yes, environments can be forked for testing without rewriting entire environments and overriding specific values Limited, requires careful copying since secrets need to be downloaded in plaintext locally and then uploaded Compare Secrets across Environments No Yes In-built Functions Yes, support for functions like `toJSON, fromJSON, fromBase64, toString` allows data manipulation for any scenario No Security and Compliance Audit Logs Yes Yes Encrypted Secrets Storage Yes, TLS is used for encryption in transit and unique encryption keys per environment are employed for encryption at rest Yes Access Controls Yes Yes Secure Dynamic Cloud Provider Credentials Yes, uses OIDC flows to generate dynamic credentials. Available for AWS, Azure, and Google Cloud. No, less secure as it requires access keys for highly privileged root accounts OIDC Trust Yes, trust relationships are established with third-party OIDC providers No Secure Environment Variables Yes, the `esc run` CLI command can be used to specify which secrets are available as environment variables No, all values are available as environment variables Plaintext Read Only Mode Yes, ESC offers a `read` mode that allows reading only plaintext values while not being able to decrypt secrets or access dynamic credentials No > This content is best viewed on the web. See: [Pulumi ESC vs Infisical](https://www.pulumi.com/docs/esc/vs/infisical/)