$ secrethub ls john/myrepodb_password
db_user
sendchimp_token
server.key
$ cat <<EOF | secrets write john/myrepo/sendchimp_tokenSC.ngeVfQFYQlKU0ufo8x5d1A.TwL2iGABf9DHoTf-09kqeF8tAmbihYzrnopKc-1s5cr
EOF

Writing secret...
Write successful! The given value has been written to john/myrepo/sendchimp_token:2
secrethub read john/myrepo/sendchimp_token:latestSG.ngeVfQFYQlKU0ufo8x5d1A.TwL2iGABf9DHoTf-09kqeF8tAmbihYzrnopKc-1s5cr

Store your secrets in a safe place

Forget about accidentally checking that API key into Git. Never again you’ll have to search through your chat histories for a password, let alone scouring your hard drive for that one key backup you’re sure you’ve made somewhere. SecretHub stores them all for you in a client side encrypted repository and makes them accessible through a Command Line Interface (CLI).

Deploy secrets as code

When code gets in the way of serving customers, things start to crack. That’s why we let you define how you want to consume your secrets in a config file. This file doesn’t contain any secrets, so you can collaborate on it and check the file into Git. You don’t need to change your software to consume secrets from SecretHub. Natively let your applications consume secrets as files, fields in config files, or as environment variables.

cat << EOF > api-server.secretssecrets:
	- file:
		source: "john/myrepo/server.key"
		target: "server.key"
		filemode: "0550" 
    - env:
        vars:
            SENDCHIMP_TOKEN: john/myrepo/sendchimp_token
    - inject:
        source: "server-config.json"
        target: "injected-server-config.json"
        filemode: "0550"
EOF
cat << EOF > server-config.json{
    "db_url": "localhost:4567",
    "db_user": "${ john/myrepo/db_user }",
    "db_password": "${ john/myrepo/db_password }"
}
EOF
secrethub setSetting secrets...
Set complete! The secrets have been set on your system and are ready to use.
lsapi-server.secrets				server-config.json
injected-server-config.json		server.key
cat injected-server-config.json{
	"db_url": "localhost:4567",
    "db_user": "xAbKjLup",
    "db_password": ".syQ.#5P>6OARxqe"
}

secrethub repo revoke john/myrepo paulAre you sure you want to revoke paul (Paul Baker) from the repository john/myrepo? [y/N]: y
Revoking user...

	db_password     => unaffected
	db_user         => unaffected
	sendchimp_token => flagged
	server.key      => flagged

Revoke complete! The user paul can no longer access the john/myrepo repository. Make sure you overwrite or delete all flagged secrets. Secrets: 2 unaffected, 2 flagged

Rotate secrets when people leave

Rest assured your production infrastructure stays safe, even when compromises happen. No more racking your brain to figure out what needs to be done when someone leaves. SecretHub automatically flags secrets whenever access is revoked. Reliably revoke access and rotate secrets in minutes instead of hours.

 

Audit the logs

SecretHub maintains detailed audit logs of all authenticated actions. Track down when and by whom a secret was accessed or modified throughout its lifetime. Stay compliant and prove it with just one command.

secrethub audit john/myrepo
WHO    ACTION          SUBJECT             IP ADDRESS       TIME
john   create.repo     myrepo              81.183.179.146   Tue Jul 4 09:28:27 2017
john   write.secret    server.key:1        81.183.179.146   Tue Jul 4 09:32:43 2017
john   write.secret    db_user:1           81.183.179.146   Tue Jul 4 09:35:11 2017
john   write.secret    db_password:1       81.183.179.146   Tue Jul 4 09:36:59 2017
john   write.secret    sendchimp_token:1   81.183.179.146   Tue Jul 4 09:39:52 2017
john   invite.user     paul                81.183.179.146   Tue Jul 4 09:45:18 2017
paul   write.secret    sendchimp_token:2   47.79.188.151    Wed Jul 5 11:29:37 2017
paul   read.secret     sendchimp_token:2   47.79.188.151    Wed Jul 5 11:31:14 2017
john   revoke.user     paul                81.183.179.146   Fri Jul 14 14:11:27 2017
john   write.secret    sendchimp_token:3   81.183.179.146   Fri Jul 14 14:12:48 2017
 
Your secrets and metadata are client-side encrypted with keys only you control.
No crypto knowledge is required so your entire team can use it.
CLI and REST API to integrate with deployment pipelines.
We run highly available secret servers, so you don’t have to.
 

Deploy your secrets in minutes

Follow our quickstart guide and see how SecretHub can work for you.