Why SecretHub?

Protect access to your secrets


Secure, end-to-end encrypted secret storage

Every secret is end-to-end encrypted, so you and your team are the only ones who can read them. See for yourself: all client-side code including cryptography is open source!

Read more on security
Team members and applications

Control who in your team can do what

Only share secrets with team members who actually need them.

  • No more emailing or Slacking secrets around and waiting on other team members
  • No more secrets lying around on employee workstations
Terminal icon CLI command: acl set

secrethub acl set company/repo/dev alice read
view docs →

Control which application can do what

Create service accounts for non-human access and use the same access control system as for human accounts.

Terminal icon CLI command: service init

secrethub service init company/repo --description "Node.js app"
view docs →
Audit log

Monitor and audit secrets usage

See which team member or application accessed your secrets when and from where.

Terminal icon CLI command: audit

secrethub audit company/repo/api_key
view docs →
Leaving team member

Revoke access when team members leave

...or when an account shows suspicious activity. See every secret the account accessed and take appropriate measures.

Terminal icon CLI command: org revoke

secrethub org revoke company bob
view docs →

Consolidate secrets across all
systems, platforms, and services

SecretHub wheel

Learn once, apply anywhere

Don't reinvent the wheel for every new tool in your stack.

With only a 10-minute tutorial, any engineer can start applying secrets management to all systems that need secrets.

Code once, run anywhere

Codify secrets in a standardized way across all tools and platforms.

Templated config

...on any OS, VM, bare-metal server, and container

SecretHub is focused around a simple but powerful CLI that works on Linux, macOS, and Windows.

...on any cloud and on-prem datacenter

Extend your existing cloud identity (IAM) to achieve keyless applications or alternatively use cloud-agnostic keyfiles.

...with any developer tool and service

Have a single and secure source of truth for your secrets.

Load secrets on demand, instead of scattering copies of secrets throughout a multitude of tools that are just not built to do secrets management.

...in any software delivery phase and environment

Load secrets into your IDE, into your CI, all the way up to your production workloads.

Every team member can work in a production parity environment without having to grant everyone access to production secrets.

Switch between dev, staging, QA, prod, etc. with a single variable change.

Templated config with variables
Terminal icon CLI command: run

secrethub run --var env=prod -- ./start-my-app
view docs →

The Afternoon Promise

Be up and running in no time.


There's nothing to host 🎉

Adopt secrets management without having to host a complex secret server.

Happy developer

You don't need to change your application code 🎊

SecretHub is a lightweight addition to existing software that operates on a configuration level.

  • No language or framework limitations
  • Use it in both modern and legacy applications
  • Install using your favorite package manager (apt-get, yum, apk, brew, and more)