Product

Secret rotation
without downtime

A focused runtime engine for Docker teams. Automates credential rotation so you don't have to.

Use Cases

What DSO handles

Any credential that needs zero-downtime rotation in Docker workloads.

Database Credentials

Rotate DB passwords without dropping connections. Containers reconnect automatically.

PostgreSQL, MySQL, MongoDB

API Keys

Rotate API keys automatically. Services pick up fresh credentials on the next request.

Third-party APIs, internal services

TLS Certificates

Update certificates before expiration. Traffic continues uninterrupted.

Mutual TLS, self-signed certs

Capabilities

Core capabilities

Operational guarantees backed by architectural constraints.

Zero-Downtime Rotation

Secrets rotate without interrupting services or dropping connections.

Automatic Recovery

Checkpoint-based recovery after crashes or failed health checks. No ops required.

5 Providers

AWS, Azure, HashiCorp Vault, Huawei Cloud CSMS, and local encrypted vault.

Docker Native

Built for Docker Compose and standalone hosts. No Kubernetes, no orchestrator.

~50 MB RAM

Lightweight footprint. Under 5% CPU during rotation. Negligible production impact.

Free & Open Source

Fully auditable on GitHub. No lock-in, no proprietary extensions.

Comparison

DSO vs. alternatives

Lightweight rotation. Not a secret manager. Know the tradeoffs.

CategoryDSOManual ScriptsHashiCorp VaultInfisical
Setup5 minutesHours of scriptingDays of infra setup1–2 hours
Rotation opsFully automatedManual restartsDevOps requiredPlatform managed
DowntimeZero30s+ per rotationPolicy-dependentIntegration-dependent
InfrastructureLightweight Docker agentScript runner / cronSeparate Vault serverCloud platform
Failure recoveryAutomatic (checkpoint)Manual investigationOps interventionPlatform reliability
Learning curveMinimal (Docker users)Custom per teamDays (complex)Hours (web UI)
CostFree / open sourceDev timeFree or $$$$Free or $$$
Bottom line: DSO is the right tool for Docker Compose teams that want zero-downtime secret rotation without ops overhead. It is not a secret manager replacement. If you run Kubernetes, need team-based access controls, or require a full secret management platform, use a purpose-built solution.

Fit

Honest tradeoffs

DSO is the right choice for some teams. Not for all. Be honest about fit.

Choose DSO if

  • You run Docker Compose or standalone Docker hosts
  • You want fully automated rotation without ops overhead
  • You need zero-downtime guarantees
  • You prefer simple, focused tools over platforms
  • Your team knows Docker but not Vault or Infisical

Consider alternatives if

  • You run Kubernetes (use native solutions instead)
  • You need a complete secret management platform
  • You require team-based access controls
  • You need audit compliance (SOC2, ISO, etc.)
  • You want a managed SaaS offering