Automate Software Delivery
Without Exposing Secrets

Securely provision passwords and keys to the applications that power your business, with just a few lines of code.

Get Started

Manage 50 secrets for free. No credit card required. It's free for as long as you want. No credit card required. It's free for as long as you want.

Provisioning passwords and keys to applications doesn't have to be painful...

Protecting access to secrets while trying to release more features every day can be overwhelming & stressful.
The good news? It doesn't have to be this way.

Anxious about plaintext secrets in source code?

When machine credentials end up in source code, critical data breaches happen. But without a safe place to store those secrets, where can you put them?

Basic secret storage on different platforms

Managing secrets across many different platforms?

Some platforms offer basic secret storage, but are bound to a single ecosystem. This fragments your infrastructure and forces you to reinvent the wheel for every tool in your stack.

Do you have months to spend implementing a solution?

No one likes data breaches, but classic secret management solutions are often so complex they take months to implement, require extensive training, and end up creating a lot of maintenance and operations overhead.

How SecretHub helps you protect access to secrets across your entire stack in a single afternoon

Much like a traditional password manager does for humans who log into websites, SecretHub automatically injects passwords and keys whenever a machine needs to 'log into' another machine, allowing you to automate software delivery without leaking secrets throughout your pipeline.

STEP 1

Replace plaintext secrets with reference tags

Use the CLI to encrypt and store secrets and then put the path to the secret in the configuration code that needs it.

What kind of secrets can I store?

You can store any sensitive data, e.g. database passwords, API keys, and even files.

STEP 2

Load secrets into your app the moment it starts

Use any of the native integrations to automatically load secrets when your app actually needs them, instead of hard-coding secrets in software.

Do I need to change my software to load secrets?

Nope, SecretHub is a lightweight addition to your existing software that provides secrets in a way it already knows how to load them. Simply add the CLI or native plugins to your Cl/CD flow and you're done.

STEP 3

Control & monitor priviliged access to secrets

Enforce security with access controls and audit logs. When people leave or an incident happens, update secrets without changing your source code.

Are my secrets safe?

Everything is automatically end-to-end encrypted under the hood, which keeps your secrets safe while you don't need any cryptography experience to use it.

…and lots more!

SecretHub comes packed with useful features to make developers and operations engineers more productive.

Cross-Platform Portability

SecretHub works in the same standardized way across all platforms, which ensures consistency across multiple development & release cycles and means you don't have to reinvent the wheel for each tool in your stack.

End-to-End Encryption

Safely store secrets knowing that we can never read their contents. Every secret is encrypted before it ever leaves your device. Only you and your team own the encryption keys.

99.95% Uptime

You don't have to set up, monitor, and maintain a highly available cluster. Take advantage of the globally distributed service to get up and running in less than a day. Custom hosting and uptime SLAs are available.

Team-Wide Consistency

SecretHub's standardized approach allows every team member to work in a production parity environment, with less time being spent setting up environments and debugging environment-specific issues.

Any Engineer Can Use It

Any engineer can use SecretHub with a 10-minute tutorial, which pays off in time spent incident-responding and time spent training people.

Open Source

All client code is fully open source so you can inspect the code and tweak it to your specific needs. Contributions are welcome!

See All Features

Integrate in Minutes

All you need is a few lines of configuration code to provision secrets on any OS, any Cloud and any machine - from local development, to CI/CD, to production.

1 FROM alpine
2 RUN apk add --repository https://alpine.secrethub.io/alpine/edge/main --allow-untrusted secrethub-cli
3 COPY . .
4
5 ENTRYPOINT ["secrethub", "run", "--"]
6 CMD ["./start-my-app"]

$ cat secrethub.env
DB_HOST: 127.0.0.1
DB_USERNAME: {{ path/to/db/username }}
DB_PASSWORD: {{ path/to/db/password }}
$ secrethub run -- ./start-my-app
Starting server...
Reading configuration from the environment... connected to db!
Listening for connections on :8080

1 resource "secrethub_secret" "db_password" {
2 path = "path/to/db/password"
3 }
4
5 resource "aws_db_instance" "default" {
6 engine = "mysql"
7 username = "myapp"
8 password = secrethub_secret.db_password.value
9 }

1 tasks:
2 - name: Read the database password
3 secrethub_read:
4 path: path/to/db/password
5 register: db_password
6 - name: Setup database
7 mysql_db:
8 name: my_db
9 login_password: {{ db_password }}

1 client, _ := secrethub.NewClient()
2 secret, _ := client.Secrets().ReadString("path/to/db/password")
3 fmt.Println(secret)
4 // Output: wFc16W#96N1$

$ cat config.yml.tpl
db_host: 127.0.0.1
db_username: {{ path/to/db/username }}
db_password: {{ path/to/db/password }}
$ secrethub inject --in-file config.yml.tpl --out-file config.yml
$ cat config.yml
db_host: 127.0.0.1
db_username: myapp
db_password: wFc16W#96N1$

See all integrations

Why Both Dev & Ops Love SecretHub

"We've tried pretty much every solution out there for secret management and SecretHub is The Thing filling the void in our pipeline. The experience was super nice: we had zero friction integrating SecretHub with our infrastructure."

- Janar Todesk
Lead DevOps Engineer @ Smaily

"By injecting passwords and tokens with the template tags, we’re now able to keep our application config files the same throughout the entire DTAP street. This is a real time saver, especially when you do a dedicated DTAP pipeline per customer."

- Rianne Ubbink
Lead Software Engineer @ Conclusion Digital

"I have to confess something. I used a product from a twitter ad and I love it. @GetSecretHub you win. Never happened before. I recommend it to people trying to run their own nonsense in “the cloud.”"

- Mark Anderson
Software Engineer

These companies are already accelerating their software delivery, when will you?

SecretHub is already helping teams like yours deliver software faster while protecting the keys to their customer data.

Get Started See Features

Manage 50 secrets for free. No credit card required. It's free for as long as you want. No credit card required. It's free for as long as you want. It's free for as long as you want. No credit card required.

Automate Software Delivery Without Exposing Secrets