What is SecretHub?

SecretHub stores encrypted secrets and helps you inject them securely into applications at runtime.


Encrypt and store

You download and run a program on your machine that encrypts secrets for you. It connects to the SecretHub cloud service that stores secrets in a highly available repository. Everything is versioned automatically and fully encrypted client-side.

secrethub write path/to/secret

secrethub read path/to/secret:latest


Grant access

You use access rules to define who has read, write or admin access on a secret. Under the hood, access rules are cryptographically enforced with client-side encryption.

secrethub acl set path/to/dir john read


Inject at runtime

You use SecretHub templates or any of the native integrations to inject secrets into the systems that need them.


Monitor and revoke

You use detailed audit logs to monitor how secrets are used and can revoke access with one keystroke when people leave or an incident happens.

secrethub audit path/to/secret

secrethub repo revoke path/to/dir john


Update without downtime

Recover quickly by immediately updating secrets when access is revoked. Automatic versioning ensures existing applications keep working during the update process.

secrethub write path/to/secret

secrethub rm path/to/secret:1

Secrets are versioned

Each time you write a secret, a new version is created so you never accidentally overwrite a version.

Reusable templates

Template syntax allows you to remove secrets from configuration files and reuse them between environments.

High availability as a service

You don't have to host, maintain and monitor a highly available secret server. We take care of all that.

No crypto knowledge required

All you need is basic terminal skills to encrypt and share secrets instantly.

Illustration of people jumping out of joy

Independer logo
Conclusion logo
Hoogheemraadschap van Delfland logo

Getting started is easy

Be up and running in minutes

brew install secrethub/tools/secrethub-cli