SikkerKey Blog
Security writeups, engineering deep-dives, and practical guides from the team building SikkerKey.
RSS feedBring Your Own Key (BYOK): What It Is and How It Works
Bring your own key (BYOK) lets you hold the encryption key for your data in your own cloud KMS, so you control when the vendor can decrypt it. What BYOK is, how it works, what it does and doesn't change, and how SikkerKey offers it alongside managed keys.
Your MCP Server Has Secrets. Can the AI Read Them?
A practical answer for teams using Claude Code, Codex, and other coding agents: when AI agents can read secrets, when they cannot, and how SikkerKey keeps MCP secret management read-blind.
Dynamic Secrets vs Leased Credentials: What's the Difference?
Dynamic secrets (HashiCorp Vault, Infisical, etc) and SikkerKey's leased credentials both mint short-lived database logins on demand. The difference is how a machine proves it may mint one: a bearer token, or a signed request with nothing reusable issued.
Alternatives to .env Files
The simplest alternative to a .env file is to stop keeping secrets in files. With SikkerKey you bootstrap a machine in one command, and the CLI and SDKs read secrets with no token and no config, plus rotation, a full audit log, and per-secret access.
Hvordan beskytter man sine API-nøgler? Guide til sikker håndtering af applikationshemmeligheder
API-nøgler og secrets lækker fra .env-filer, git-historik og CI-logs. Sådan beskytter du dine applikationshemmeligheder i praksis, og sådan binder SikkerKey adgang til en signeret maskinidentitet.
Secrets Manager Pricing: Is Your Team Spending Too Much In 2026?
A SikkerKey-first 2026 pricing comparison showing how managed secrets manager pricing changes across machines, identities, users, secrets, versions, and usage meters.
Simple Secrets Manager: Why SikkerKey Is Easy to Adopt
SikkerKey is a simple secrets manager because it absorbs the hard parts behind straightforward methods and intuitive UI: bootstrap a machine, grant specific secrets, and let read-only SDKs in six languages use that machine identity automatically.
Traditional vs Modern Secrets Management In 2026
Traditional secrets managers use your strong login only to mint a weaker bearer token, then bolt crutches like short expiry and rotation around it. A modern secrets manager proves a machine's identity on every request instead, so there is nothing reusable to steal.
Stop Using .env Files for Secrets in 2026: dotenv Alternatives for Every Language
Node, Python, Go, .NET, Kotlin, and PHP each have a dotenv, and they all load the same plaintext .env file on disk. The 2026 fix is the same in every language: inject secrets at runtime with SikkerKey's CLI or one of its six SDKs, so no .env file holds them.
Best EU Secrets Managers in 2026
A practical 2026 comparison of EU secrets managers: SikkerKey, STACKIT Secrets Manager, Scaleway Secret Manager, and OVHcloud Secret Manager, by jurisdiction, machine authentication, cloud independence, and the teams each one fits.
EU Secrets Management: Why We Built SikkerKey in Europe
SikkerKey is a European secrets manager: that keeps your secrets, audit logs, and machine identities on EU infrastructure, with signed machine authentication and per-secret access. Built in the EU for GDPR, NIS2, and DORA.
How to Give AI Agents Secure Access to Secrets Without API Keys
AI coding assistants and autonomous agents have become a credential-theft target. Here is why API keys in environment variables are the weak point, and how scoped, read-blind identities stop a compromised agent from leaking your secrets.