End-to-end Encryption
Of course you don’t feel like sharing your infrastructure secrets with us. Luckily you don’t have to. Every secret is encrypted before a single byte ever leaves your device. Only you control the encryption keys and only the people you choose can decrypt your secrets.
Open Source Code
We understand you don’t trust people blindly. We wouldn’t either. That’s why the code for the Go client, CLI and all integrations is open source and available on GitHub. This not only means that you can inspect our code, but that others have done so too.
State of the Art Cryptography
Your secrets are encrypted with the most widely accepted and battle-tested algorithms: AES-256 and RSA-4096. Under the hood, the code only uses modern, open source libraries that are trusted by the industry. Some would call it military grade, but we just call it secure.
Open Security Design
We believe in transparency. So much so that we’ve documented our entire encryption design and published it for security researchers to review. The following design decisions (and more) are covered in-depth:
- Encryption at rest and in transit
- Secure secret sharing with your team
- Account revocation and key rotation process
- Motivation behind chosen encryption algorithms
Available from 6 data-centers on 2 continents
From the law of truly big numbers follows that if you host software long enough, failure is inevitable. We have servers in 6 data centers on 2 continents, so when one fails, SecretHub can automatically fail-over to another region. Even if a server or even a whole data-center fails, we can still serve your secrets from one of our other data-centers.
We care about bugs
If someone finds a bug in our software, we are ready for them. Our Responsible Disclosure Policy is there to help security researchers responsibly report any problems they find and to help us fix it accordingly.
