Stronger isolation for the key that protects your secrets, plus reliability fixes

Your secrets' root key now lives on isolated infrastructure

Every secret in SikkerKey is protected by layered ("envelope") encryption: each value has its own key, that key is wrapped by a per-project key, and those project keys are protected by a single root key.

That root key now lives on dedicated, isolated infrastructure, kept separate from the systems that store and serve your secrets. When one of your applications reads a secret, the serving system asks the isolated infrastructure to unwrap just that one project's key for the lifetime of the request, and never holds the root key itself.

The effect is that the encrypted data and the key that ultimately unlocks it sit on separate infrastructure. A copy of the database, on its own, is just ciphertext, with no key alongside it to decrypt it.

This is internal to how we operate SikkerKey, shared here for transparency. There is nothing you need to change.

Fixed: removing a machine from a project

Detaching a machine from a project could return an error instead of completing. That is resolved, and removing a machine from a project now works reliably.

Webhook delivery on the status page

Our public status page at status.sikkerkey.com now reports webhook delivery health alongside our other services, so you can see whether webhook notifications are flowing and how quickly they arrive. The service names on the page are clearer as well.