1Password vs Bitwarden vs Built-In Vaults for Developer Secrets

ConfigSync separates the sync engine from the secret storage backend. You use the same configsync push and configsync pull commands regardless of where secrets are stored. The provider determines where encrypted data lives and how it is managed. This means you can switch providers without changing your workflow.

The four providers are: the built-in encrypted vault, OS keychain integration, 1Password, and Bitwarden. Each has different strengths depending on whether you work solo, on a team, or need to meet specific compliance requirements.

The built-in vault is what you get out of the box. Secrets are encrypted locally with AES-256-GCM and stored as encrypted blobs in ConfigSync's cloud storage (Cloudflare R2). No external dependencies, no additional accounts, no CLI tools to install.

Best for: solo developers, simple setups, anyone who wants zero-knowledge encryption without managing external tools. The built-in vault is the fastest path from install to syncing. It requires no setup beyond choosing a master password.

The OS keychain provider stores secrets in your operating system's native credential manager: macOS Keychain, GNOME Keyring on Linux, or Windows Credential Manager. Secrets are protected by your OS login password and the platform's hardware-backed security (Secure Enclave on macOS, TPM on Windows).

Best for: developers who want secrets tied to their OS account, or teams with policies requiring hardware-backed key storage. The downside is that keychain contents do not sync across machines automatically — you need iCloud Keychain (macOS) or a manual export for cross-device access.

The 1Password provider uses the op CLI to read and write secrets directly to your 1Password vault. This is ideal for teams that already use 1Password — secrets are shared through 1Password's existing team infrastructure, with access controls, audit logs, and cross-device sync handled by 1Password.

Best for: teams already using 1Password, organizations that need audit trails for secret access, and setups where multiple people need access to shared development secrets. 1Password's vault sharing means new team members get access to secrets as soon as they are added to the vault.

The Bitwarden provider works through the bw CLI. Bitwarden offers the same core functionality as 1Password with one key differentiator: it is open source and can be self-hosted using Vaultwarden or Bitwarden's official self-hosted option.

Best for: teams that prefer open-source tools, organizations with data residency requirements that mandate self-hosting, and developers who already use Bitwarden personally. Self-hosting means your secrets never leave infrastructure you control.

Switching providers is a single command. Your existing synced data is re-encrypted and migrated to the new provider:

Start with the built-in vault. It works immediately, requires no external tools, and provides zero-knowledge encryption. If you later need team sharing, switch to 1Password or Bitwarden. If you need hardware-backed storage for a specific machine, add OS keychain for that machine only.

The beauty of ConfigSync's provider architecture is that you are never locked in. Your workflow stays the same; only the storage backend changes.