SecretHub - Secret Management as a Service

Secure Any Application
in a Single Afternoon

Automate the provisioning of passwords and keys for your entire software delivery infrastructure

Get Started

INTRODUCING

Simple Secret Management

Say Goodbye to Plaintext Passwords

SecretHub is an automated password manager for machines and the people that operate them, removing the risks and limitations of placing passwords and keys in source code

DEVELOPMENT

Automate

Deployment

Build applications that automatically provision themselves with the secrets they need.

OPERATIONS

Simplify

Operations

Run infrastructure without ever seeing any secrets, but access them quickly during incident response.

SECURITY

Protect

Privileged Access

Protect access to secrets with encryption, access controls and audit logs.

See Features

End-to-End Encrypted Secret Storage

Safely store secrets knowing that we can never read their contents. Every secret is encrypted before it ever leaves your device. Only you and your team control the encryption keys.

Learn about security

Built for Developers

All you need is a few lines of configuration code to provision secrets on any OS, any Cloud and any machine - from local development, to CI/CD, to production.

1 FROM node:alpine
2 RUN apk add --repository https://alpine.secrethub.io/alpine/edge/main --allow-untrusted secrethub-cli
3 COPY . .
4
5 ENTRYPOINT ["secrethub", "run", "--"]
6 CMD ["npm", "start"]

See how to provision secrets in Docker

$ cat secrethub.env
DB_HOST: 127.0.0.1
DB_USERNAME: {{ path/to/db/username }}
DB_PASSWORD: {{ path/to/db/password }}
$ secrethub run -- ./myapp start
Starting server...
Reading configuration from the environment... connected to db!
Listening for connections on :8080

See how to provision secrets in Environment Variables

1 resource "secrethub_secret" "db_password" {
2 path = "path/to/db/password"
3 }
4
5 resource "aws_db_instance" "default" {
6 engine = "mysql"
7 username = "myapp"
8 password = secrethub_secret.db_password.value
9 }

See how to provision secrets in Terraform

1 tasks:
2 - name: Read the database password
3 secrethub_read:
4 path: path/to/db/password
5 register: db_password
6 - name: Setup database
7 mysql_db:
8 name: my_db
9 login_password: {{ db_password }}

See how to provision secrets in Ansible

1 client, _ := secrethub.NewClient()
2 secret, _ := client.Secrets().ReadString("path/to/db/password")
3 fmt.Println(secret)
4 // Output: wFc16W#96N1$

See how to provision secrets in the Go SDK

$ cat config.yml.tpl
db_host: 127.0.0.1
db_username: {{ path/to/db/username }}
db_password: {{ path/to/db/password }}
$ secrethub inject --in-file config.yml.tpl --out-file config.yml
$ cat config.yml
db_host: 127.0.0.1
db_username: myapp
db_password: wFc16W#96N1$

See how to provision secrets in Config Files

See all integrations

Open source

All client code is fully open sourced and developed in the open. Pull requests are welcome!

SecretHub on GitHub →

Highly available service

SecretHub is hosted in 6 datacenters on 2 continents. Enjoy high availability, zero maintenance and multi-cloud straight out of the box.

Check out the status page →

Why Customers Choose SecretHub

Whether it's processing email traffic or managing confidential patient records, customers choose SecretHub to secure their infrastructure. Here's why:

Easy to implement

SecretHub is a lightweight addition to existing software, that provisions secrets without requiring code changes.

Easy to use

Any engineer can use SecretHub with a 10-minute tutorial, which pays off in time spent incident-responding and time spent training people.

Built for hybrid and multi-cloud infrastructure

It's a highly available managed service that plugs into all platforms and use cases with zero maintenance and operations overhead.

Modernize Your Architecture

Thousands of machine passwords and API keys leak every day. Learn how to prevent this by incrementally deploying secret management alongside existing services with no interruptions.

Download Datasheet

Architecture diagram Secret Management Architecture

Teams like yours use SecretHub

"We've tried pretty much every solution out there for secret management and SecretHub is The Thing filling the void in our pipeline. The experience was super nice: we had zero friction integrating SecretHub with our infrastructure."

- Janar Todesk
Lead DevOps Engineer @ Smaily

"By injecting passwords and tokens with the template tags, we’re now able to keep our application config files the same throughout the entire DTAP street. This is a real time saver, especially when you do a dedicated DTAP pipeline per customer."

- Rianne Ubbink
Lead Software Engineer @ Conclusion Digital

"I have to confess something. I used a product from a twitter ad and I love it. @GetSecretHub you win. Never happened before. I recommend it to people trying to run their own nonsense in “the cloud.”"

- Mark Anderson
Software Engineer

Secure Any Application in a Single Afternoon