Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link
Secret ManagementThree-layer envelope encryption with operator-held keys
Machine AuthenticationEd25519 signatures, no tokens or sessions
Ephemeral MachinesShort-lived identity for CI runners and autoscaled fleets
OrganizationsMulti-user vaults with permission templates
Audit & ComplianceSeverity-tagged trail with real-time alerts
AI AgentsPlaintext-blind MCP server for Claude Code, Codex, Cursor
DocumentationConcepts, API reference, and quickstarts
CLI GuideSingle-binary CLI for terminals and scripts
SDKsNative clients for Python, Go, Node, Kotlin, and .NET
IntegrationsDocker, Kubernetes, GitHub, GitLab, and Bitbucket
BlogSecurity writeups, engineering deep-dives, and guides
GlossaryPlain-English definitions for secrets and machine identity
SikkerLinkShare a secret with a free self-destructing link

Secret sprawl

What happens when credentials end up scattered across env files, config maps, source code, chat threads, password managers, and forgotten clouds. The default state of any team without a secrets manager.

What it is

Secret sprawl is the gradual accumulation of credentials in every place a team's workflow touches: .env files on developer laptops, environment variables in CI configs, Kubernetes Secret resources, AWS Secrets Manager entries from a quick experiment three years ago, password manager vaults shared among different subsets of the team, Notion pages, Slack DMs, screenshots in support tickets. None of these places are inherently wrong; the problem is that they don't talk to each other, and as soon as you have a credential in more than one of them, you have a coordination problem disguised as a security problem.

The term gained traction around 2018-2020 as the secrets-management category emerged. It names a failure mode that's older than the term: every engineering team that grows past one developer rediscovers it.

How it happens

Sprawl doesn't happen because anyone made a bad decision. It happens because each individual decision was correct at the time:

After two years, the credentials a small team depends on exist in twelve places, and nobody has a complete inventory.

What it costs

Sprawl converts what should be a five-minute operation into an organizational problem:

How a secrets manager ends it

Centralizing credentials into one system replaces the inventory problem with a smaller one: making sure consumers actually fetch from the central system instead of caching values locally. A secrets manager can't stop a developer from copy-pasting a value into a config file, but it can:

The trade is conceptual rather than technical. Sprawl is comfortable because it never asks you to think about your entire credential surface at once. Centralizing forces that thought up-front; in exchange, every later operation is bounded.

How SikkerKey handles it

In SikkerKey, every secret lives in one place: a project inside your vault. Each secret has an explicit list of machines allowed to read it, and every read is recorded in your audit log with the requesting machine, IP, and timestamp.

When a credential needs to change, you update it once in SikkerKey, and consumers fetch the new value on their next read. For credentials backed by PostgreSQL, MySQL, MongoDB, Redis, or MSSQL, scheduled rotation generates new values automatically and pushes them to the database. The "twelve places" version of secret state becomes one place, with the operational consequences that follow.

See also

SecretsA credential, key, or token used to authenticate or encrypt, where unauthorized knowledge of the value causes material harm. Passwords, API keys, private keys, and OAuth tokens are the common kinds.
Secrets managerA system that stores, encrypts, and serves credentials to applications and machines at runtime, with centralized access control and audit logging, so secrets don't live in env files, source code, or shared password managers.
.env filesA plain-text file at the root of a project that defines environment variables as KEY=value lines, loaded by the application at startup so the same code can run against different configurations.
Secret rotationThe practice of replacing a credential's value on a schedule (or after suspected compromise) so a leaked value stops being useful within a bounded time window. Sometimes called credential rotation or key rotation.
Audit logAn append-only record of privileged actions, capturing who did what, when, and from where, so that operators and compliance reviewers can answer questions about historical behavior after the fact.

SikkerKey is the secrets manager built around the patterns in this glossary. Encrypted vault, machine identity over signed requests, dynamic secrets — set up in minutes.

Start for Free