Plenty of teams want their secrets kept under EU jurisdiction rather than with a US-owned provider. This is a brief, factual rundown of the EU secrets managers worth knowing in 2026. We build one of them, SikkerKey. The other three are the secret managers built into the European clouds STACKIT, Scaleway, and OVHcloud. For each, the notes cover who runs it, how applications authenticate, and where it fits.
The EU secrets managers at a glance
| Tool | Country | Machine auth | Best for |
|---|---|---|---|
| SikkerKey | Denmark | Ed25519 signed requests | One secrets layer across clouds, on-prem, and laptops |
| STACKIT Secrets Manager | Germany | HashiCorp Vault (userpass) | Teams on STACKIT, or wanting managed Vault |
| Scaleway Secret Manager | France | Scaleway IAM | Teams building on Scaleway |
| OVHcloud Secret Manager | France | OVHcloud IAM | Teams building on OVHcloud |
SikkerKey
SikkerKey is an independent, EU-native secrets manager and vault, built and hosted in the EU by a Danish team. It is not part of a cloud platform, so the same setup runs across clouds, on-prem servers, and developer machines. Machines authenticate by signing each request with an Ed25519 key kept on the host, and SikkerKey stores only the public key.
A key concept you'll find across SikkerKey is that it absorbs the complexity instead of pushing it downstream onto the user. You never manage keys yourself: enrollment generates the keypair on the host, and the SDKs and CLI locate and use that identity automatically, with no key paths or tokens to wire up. Structured secrets are first-class in both, so sikkerkey get sk_db_prod password returns just that field, and the SDKs expose individual fields the same way.
Features include but are not limited to:
- Secret versioning
- Machine name-versioning
- Five different secret types (normal, structured, managed, canary, and TTL)
- Multiple secret rotation architectures, including per-field rotation for structured secrets and a sync agent that rotates your database credentials locally on your machine
- Per-project secret access policies (time window, IP / CIDR allowlist, read-rate cap, co-sign, and lifecycle: destroy at, destroy after N reads, rotate after N reads)
- Three machine types (long-lived, temporary, and ephemeral)
- Severity-categorized audit logs, tied to the exact time, user, machine identity, and IP, with the ability to export them to CSV
- Over 160 alertable audit entries
- Email & signed webhook alerts
- A secure plaintext-blind AI agent identity feature with a published MCP server
- Global IP / CIDR allowlist on the secret retrieval path
- Script builder for common CI / CD platforms (GitHub, GitLab, Bitbucket, and more)
- Docker machine provisioning
- Trash system that allows you to restore terminated or deleted secrets
- In-dashboard support and ticketing system with published SLA times
- Dashboard authentication through SSO and WebAuthn
- Organization feature that allows managing members of your vault
- SDKs in six different languages (Kotlin, Python, Node.js, Go, .NET, and PHP)
- A single binary Go CLI
- Integration-agnostic: integrates with anything that can run code
SikkerKey is free to use; paid subscriptions come with more machines, longer audit retention windows, email alerts, an increased volume of webhook deliveries, and team & organization tools.
STACKIT Secrets Manager
STACKIT is the cloud arm of Germany's Schwarz Group, the parent of Lidl and Kaufland, operated under German jurisdiction. Its Secret Manager is a managed HashiCorp Vault.
Features include:
- A HashiCorp Vault KV2-compatible API, usable from the Vault CLI and any KV2 client
- Secret versioning, including enabling, disabling, and destroying individual versions
- Encryption at rest via STACKIT KMS
- Access control lists configured through the API
- Authentication with Vault's userpass method, which issues a short-lived token
- Audit logs for secret lifecycle events: creation, deletion, and version enable, disable, and destroy
- Integrations with the Kubernetes Secrets Operator, Ansible, and Terraform
- High availability, hosted in the EU
Scaleway Secret Manager
Scaleway, part of France's Iliad group, offers Secret Manager as a native service in its cloud.
Features include:
- Envelope encryption (AES-256) at rest and in transit via Scaleway KMS
- Access control through Scaleway IAM policies
- Secret versioning, with rotation and rollback across versions
- Ephemeral policies that expire a version after a single read or a set window of up to a year
- Automatic replication across availability zones in your chosen region
- Access through the Secret Manager API, with Terraform, Ansible, and Kubernetes (External Secrets) integrations
- Usage-based pricing: €0.04 per secret version per month, plus €0.03 per 10,000 API calls
OVHcloud Secret Manager
OVHcloud, the French provider, offers Secret Manager within its Identity, Security and Operations range.
Features include:
- Encryption at rest via OVHcloud KMS
- Granular access control through OVHcloud IAM, with per-secret roles and permissions
- A REST API and a HashiCorp Vault KV2-compatible API, for reversible migration
- Secret versioning through the KV2 engine
- Real-time and historical audit logs via OVHcloud Logs Data Platform
- Kubernetes integration through the External Secrets Operator
- Pricing per secret version per month, set by region