Security you can build on

We believe real security should be built-in, not something you stick on later. That's why SecretHub is designed to be secure from the ground up.

End-to-end Encryption

Of course you don’t feel like sharing your infrastructure secrets with us. Luckily you don’t have to. Every secret is encrypted before a single byte ever leaves your device. Only you control the encryption keys and only the people you choose can decrypt your secrets.

Open Source Code

We understand you don’t trust people blindly. We wouldn’t either. That’s why the code for the Go client, CLI and all integrations is open source and available on GitHub. This not only means that you can inspect our code, but that others have done so too.

State of the Art Cryptography

Your secrets are encrypted with the most widely accepted and battle-tested algorithms: AES-256 and RSA-4096. Under the hood, the code only uses modern, open source libraries that are trusted by the industry. Some would call it military grade, but we just call it secure.

How strong is 256-bit security?

The AES keys used to encrypt your secrets are 256 bits long. But how strong is that really?

  • Imagine we have 1 billion Galaxies
  • Every galaxy has 100 billion planets (as big as our Milky Way)
  • On every planet, there are 8 billion people
  • And every person has 1 million super-computers

…so we have 800,​000,​000,​000,​000,​000,​000,​000,​000,​000,​000,​000 (35 zeroes) super-computers

  • Let’s assume those super-computers can all try 100 quadrillion keys per second (which is optimistic, to say the least)
  • And we let all those super-computers run for 14 billion years (the age of the universe)

If even we had all that, we’d still have less than one in a million chance of finding the key to decrypt your secrets.

Open Security Design

We believe in transparency. So much so that we’ve documented our entire encryption design and published it for security researchers to review. The following design decisions (and more) are covered in-depth:

  • Encryption at rest and in transit
  • Secure secret sharing with your team
  • Account revocation and key rotation process
  • Motivation behind chosen encryption algorithms

Available from 6 data-centers on 2 continents

From the law of truly big numbers follows that if you host software long enough, failure is inevitable. We have servers in 6 data centers on 2 continents, so when one fails, SecretHub can automatically fail-over to another region. Even if a server or even a whole data-center fails, we can still serve your secrets from one of our other data-centers.

We care about bugs

If someone finds a bug in our software, we are ready for them. Our Responsible Disclosure Policy is there to help security researchers responsibly report any problems they find and to help us fix it accordingly.