8 Secrets Management

Note

Bitwarden as the source of truth, podman secret as the runtime interface, Vaultwarden as a self-hosted backup.

8.1 The secret lifecycle

8.2 Bitwarden item conventions

8.3 pyinfra and `bw` CLI

8.4 podman secret integration

8.5 Vaultwarden as break-glass

8.6 Why not Vault, SOPS, or dotenv

# Secrets Management

::: {.callout-note}
Bitwarden as the source of truth, `podman secret` as the runtime interface, Vaultwarden as a self-hosted backup.
:::

## The secret lifecycle

## Bitwarden item conventions

## pyinfra and `bw` CLI

## podman secret integration

## Vaultwarden as break-glass

## Why not Vault, SOPS, or dotenv