The November Wave leak
One November 2025 evening, the founder of a Dakar logistics startup writes us: "Mohamed, we pushed a commit with our Wave Business keys to a public GitHub repo 6 hours ago." Immediate audit: the key granted refund issuance access up to 2 million FCFA per transaction. Luckily we caught the leak before a scanner bot exploited it. Wave rotated keys in 2 hours. Estimated avoided loss: 14 million FCFA.
It was the 11th time in 18 months we intervened on this type of incident at a client. The pattern is always the same: no secrets manager, keys live in local '.env', shared on Slack, accidentally committed, forgotten in a Sentry dump, baked into a Docker image.
Why a secrets manager changes everything
A secrets manager centralizes your API keys, DB passwords, OAuth tokens, certificates. Instead of scattered '.env' files, your apps request secrets at runtime from an authenticated service that logs every access, rotates values automatically, and revokes them in one click on compromise.
Concretely, without a secrets manager: a dev leaves the team = 6 hours of manual rotation across 30 keys, plus risk of forgetting one. With: 30 seconds to revoke the role.
The three real options for an African SaaS
| Solution | Model | Monthly price | Ideal profile |
|---|---|---|---|
| HashiCorp Vault self-host | Open source, your infra | ~$50-150 (VPS + ops) | Teams 10+ with a DevOps |
| HashiCorp Vault Cloud (HCP) | Managed SaaS | $0.03/secret/h ~ $200-800/month | Teams without strong DevOps |
| AWS Secrets Manager | AWS native cloud | $0.40 / secret / month | 100% AWS stack |
| Doppler | Dev-friendly SaaS | $7 / seat / month | Small teams, multi-cloud |
| Infisical (open source) | Self-host or cloud | $0 self / $6 seat cloud | Budget alternative to Doppler |
In FCFA, for an 8-person team: Doppler ~34,000 FCFA/month, AWS Secrets Manager (50 secrets) ~12,000 FCFA/month, Vault HCP ~150,000 to 480,000 FCFA/month, Vault self-host ~30,000 to 90,000 FCFA/month of VPS.
The Kolonell rule by stage
Pre-seed / MVP (0-3 tech people): Doppler or Infisical Cloud. Setup in 1 hour, the CLI replaces your '.env', your environments sync without pain. ~22,000 FCFA/month for 3 seats. No Vault, don't waste time there until you have a DevOps.
Seed (4-10 tech people, raise < 2 years): if you're 100% AWS, go AWS Secrets Manager + a small app wrapper. Otherwise Doppler stays the right call up to 15-20 people. ~50,000 to 80,000 FCFA/month.
Series A (10+ tech, multi-cloud, SOC2/ISO compliance): HashiCorp Vault, ideally HCP (managed cloud) to skip ops cost. Automatic rotation, dynamic identity, and audit trail are needed to pass SOC2 Type II. ~200,000 to 500,000 FCFA/month.
The too-early self-host mistake
Vault self-host is free in license, but expensive in human time. One bad config (unsealed cluster, broken auto-unseal, untested snapshots) and you lose access to all your secrets in the middle of the night. A Beninese fintech called us at 3 AM with this problem: 8 hours of production down, 2 million FCFA of revenue lost.
Need a professional website?
Kolonell builds websites that attract clients, optimized for the Sénégalese market. Free quote in 2 minutes.
If you don't have a DevOps dedicated 30%+ of their time to security infra, stick to managed (HCP, AWS, Doppler, Infisical Cloud). The math nearly always favors managed up to 20+ tech people.
Repo secret scanning, mandatory
Whatever the solution, plug Gitleaks or TruffleHog as a pre-commit hook and in CI. It's free, it catches leaks before they leave the dev's machine. For 1 hour of setup, you avoid 80% of "Wave key in public repo" incidents.
Pair with GitHub's native secret scanning (free on public repos, paid on private via Advanced Security ~$21/user/month). Recognized issuers (Stripe, AWS, Google) have partnerships: keys detected in a push are automatically revoked by them.
FAQ
Is '.env.local' really enough for a solo MVP?
While you're alone, yes, provided '.env*' is in '.gitignore', Gitleaks is pre-commit, and your prod keys are NEVER on your laptop. As soon as a 2nd dev joins, migrate to Doppler.
Can Vault replace 1Password or Bitwarden?
No. Vault is for application secrets (API keys, DB). 1Password / Bitwarden are for human credentials (SaaS logins). You need both.
How much does a migration to Vault from '.env' cost?
For a SaaS with 5-15 services: 3 to 8 man-days. Plan 1.5 to 4M FCFA in external engagement, or 2 internal sprints.
Does my Senegalese local hosting support Vault?
Yes on any Linux VPS with 4GB RAM. Local hosts (Sonatel, Orange Cloud, Mauritius providers) compatible. Vault HCP has no Africa region, ~80-120ms Europe latency is acceptable.
Audit your secrets
Want a 1-day diagnostic: where do your secrets live, who can read them, how many are committed in Git? We do it with you, report + migration plan delivered. WhatsApp +221 77 596 93 33 or /en/free-quote.
Mohamed Bah
Fondateur, Kolonell
Passionate about digital and entrepreneurship in Africa, Mohamed has been helping Sénégalese businesses with their digital transformation since 2020. Founder of Kolonell, he believes every SME deserves a professional and accessible online présence.
