Secret Management

Three layers of encryption. Zero stored keys. Every secret knows which machine is asking.

Organize secrets into project vaults with three layers of encryption. Control exactly which machines can read what. Rotate values automatically on a schedule. Push credentials to your database without exposing it to the internet.

Get Started Free Read the Docs

SikkerKey secrets table showing encrypted secrets with rotation indicators, structured fields, version history, and machine access counts

Structured multi-field secrets

Store credentials as structured objects with named fields. Access individual fields via SDK or CLI without parsing JSON. Each field is independently addressable and can be configured to auto-rotate while others stay static.

Docs →

SikkerKey structured secret creation modal with database host, username, and password fields

Managed database credentials

SikkerKey rotates your database password on a schedule and pushes it to your database automatically. A CLI agent runs next to your database, applies the new credentials, and reports its health back to the dashboard. Your database is never exposed to the internet.

PostgreSQL, MySQL, Redis, and MongoDB.

Docs →

SikkerKey managed secret creation modal with PostgreSQL provider, connection details, managed credentials, and rotation schedule

Temporary self-destructing secrets

Share credentials without pasting them into Slack or email. Create a secret with a self-destruct timer, get a one-time link and passphrase. The recipient enters the passphrase to view the value. Wrong passphrase? Destroyed. Correct passphrase? Destroyed after viewing. Expired? Destroyed. One attempt. No traces.

Docs →

SikkerKey temporary secret creation showing value input, expiry timer, and one-time share link with passphrase

Version history and rollback

Every change creates a new encrypted version. Browse the full history, see when each version was created, and restore any previous version instantly. Your team can roll back a bad deploy in seconds.

Docs →

SikkerKey version history showing v3 current with restore buttons for previous versions v2 and v1

Per-secret machine access

Machines authenticate with Ed25519 signatures on every request. No tokens to leak, no sessions to hijack. Grant access to individual secrets, not entire projects. Revoke instantly from the dashboard.

Docs →

SikkerKey Configure Access modal with split Available and Granted panels showing per-secret Grant and Revoke controls

Everything else you need

Built for teams that take secrets seriously.

Automatic rotation

Enable rotation on any secret or structured secret. Set the interval, charset, and length. For structured secrets, choose which fields rotate while others stay static.

Severity-tagged audit log

Every operation logged with severity. Filter by action, user, machine, IP, or time. Export to CSV. Real-time email alerts for critical events.

Team collaboration

Invite team members to your vault. Control per-project, per-action permissions. Team members get scoped access without managing encryption keys.

CLI and 5 SDKs

Single-binary Go CLI. Kotlin, Go, Python, Node.js, and .NET SDKs. Bootstrap a machine in one command, read secrets in one line of code.

30-day trash retention

Deleted secrets are soft-deleted and retained for 30 days. Restore accidentally deleted secrets or permanently purge them.

Project-based encryption

Each project has its own randomly generated master key and independent encryption. Compromising one project reveals nothing about another.

Stop storing secrets in plaintext.

Create a free vault in under a minute. No credit card required.

Get Started Free