Founder of SecretHub here, big kudos on the GUI Doppler made, looks amazing.
Aside from a feature-by-feature comparison, I feel that both SecretHub and Doppler do a great job of:
1) making secrets management simple enough so any engineer can use it with limited overhead.
2) making secrets management work throughout your entire stack – from development to production – and not just inside one ecosystem.
Finally, we see a trade-off between usability and security being made. At SecretHub, we feel end-to-end encryption is a must for any managed service handling passwords, API keys and other secrets.
The series of articles the author intends to write are a great idea. Managing secrets is a fast growing problem that needs more exploration.
However, I must say I disagree with the sentiment that separation of secrets from source code is a bad thing. Git-crypt and similar tools use git for versioning. While this sounds great, it is not desirable for key management. Software and secrets have different management cycles. You always want to keep a copy of past software versions, but this is not the case for secrets. For instance, what if you want to make sure a secret is deleted? It will be a hard challenge to remove this from the git history on all copies of the repo.
As commented before, separating your development workflow from your secret management flow is actually a must. Not only are the management cycles different, the access policies also differ. Giving only a few trusted individuals access to the encrypted bag inside your git repo may work for a very small team with a few similar servers. However, when you have multiple sets of people and services that need access to different sets of secrets, controlling who has access to what secrets with these encrypted data bags quickly becomes impractical.
I agree with tptacek, having a decoupled and secure place to manage and distribute secrets is more secure and scales better. At SecretHub we allow access control per secret or secret-group to solve this complex mapping problem. We believe it should be easy for developers to create secrets, but only easy for machines to use them. Developers rarely need access to secrets in production.
Full disclosure: I'm the founder :)