Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link

Envelope encryption

A pattern where each data value is encrypted with its own data key, which is itself wrapped by a master key, so the master key never directly touches the ciphertext and rotating it is cheap.

What it is

Envelope encryption splits encryption into layers. The inner layer encrypts the actual data with a per-record key, called a data encryption key or DEK. The outer layer encrypts that DEK with a master key, sometimes called a key encryption key or KEK. Only the outer key, which is small, ever needs to be unlocked directly, and it never decrypts data on its own.

The point of the name is the metaphor: the data sits inside an inner envelope, and the inner envelope sits inside a stronger outer one. The pattern shows up in any storage system that needs to encrypt many records under a small number of keys without ever exposing the master key to the application that reads the data.

How it works

Three pieces of key material, used in order:

  1. Generate a fresh data encryption key (DEK) for each value you want to store. Typically a 256-bit random key.
  2. Encrypt the value with the DEK using a symmetric authenticated cipher like AES-256-GCM.
  3. Wrap the DEK with a master key (the KEK). Store the wrapped DEK alongside the ciphertext, never the raw DEK.

To read the value, the reverse: fetch the wrapped DEK, unwrap it with the master key, decrypt the ciphertext with the DEK, then zero the DEK from memory. The master key spends most of its life idle and never sees plaintext data, only the small wrapped DEKs.

Why the layering matters

Three properties fall out of envelope structure that single-key encryption doesn't give you:

The same structure also nests further. The master key itself can be wrapped by another key held even further from the system that handles ciphertext, creating a chain of envelopes where each layer's job is to wrap the one below it. The bulk data stays encrypted under fast symmetric keys; the keys that matter most spend their time wrapped and idle.

How SikkerKey uses it

SikkerKey applies envelope encryption in three layers, each storing only what it needs to:

  1. Per-secret data key. Every secret value in your vault is encrypted with AES-256-GCM under a key generated just for that secret. The secret ID is bound into the encryption as additional authenticated data, so a ciphertext can't be silently swapped between records.
  2. Per-project master key. Each project has its own master key that wraps the data keys belonging to that project. The master key is generated at project creation and stored in the database in wrapped form, never in plaintext.
  3. In-memory unseal key. The key that wraps every project's master key lives only in memory after the server is unsealed. It's never written to disk, never logged, and never returned over the API.

The end state: if somebody walked off with the SikkerKey database tomorrow, every secret value, every data key, and every project master key would be opaque ciphertext, and no key on disk would decrypt any of them.

See also

SecretsA credential, key, or token used to authenticate or encrypt, where unauthorized knowledge of the value causes material harm. Passwords, API keys, private keys, and OAuth tokens are the common kinds.
Secrets managerA system that stores, encrypts, and serves credentials to applications and machines at runtime, with centralized access control and audit logging, so secrets don't live in env files, source code, or shared password managers.
Secret rotationThe practice of replacing a credential's value on a schedule (or after suspected compromise) so a leaked value stops being useful within a bounded time window. Sometimes called credential rotation or key rotation.

SikkerKey is the secrets manager built around the patterns in this glossary. Encrypted vault, machine identity over signed requests, dynamic secrets — set up in minutes.

Start for Free