seekrit
▓▒░ open-source · early development ░▒▓

Secrets your server
can never read.

seekrit is an end-to-end encrypted, multi-tenant secrets manager on Cloudflare Workers. Encryption keys are generated and used entirely on the client — the backend only ever holds ciphertext.

seekrit — zsh
$ seekrit run -- ./start-server
DATABASE_URL=██████████████████████████
STRIPE_KEY=█████████████████
decrypted 2 secrets · acme/storefront/production
server listening on :3000

Built around one rule

01

Zero-knowledge

Secrets are encrypted in your browser or CLI before they ever leave the machine. The server stores ciphertext and nothing else — a full database dump reveals no secret values.

02

One key per environment

Every environment has its own AES-256 data key, wrapped individually to each member and service token. Grant or revoke access without touching a deployment.

03

Everywhere your app runs

Local dev, Docker builds, CI pipelines, Kubernetes, and ephemeral AI-agent sandboxes — one command injects the right environment, decrypted at the edge of your control.

04

Audited by default

Every read, write, grant, and revocation lands in an append-only trail with actor attribution. Nothing happens to a secret without a record.

How it works

Envelope encryption end to end. The passphrase, private keys, and plaintext secrets never reach the API.

  1. 01

    Create in the browser

    Generate a keypair protected by your passphrase, then spin up an org, app, and environment. The environment's data key is born in your tab and wrapped to your public key.

  2. 02

    Encrypt client-side

    Add secrets in the web dashboard. Each value is encrypted with the environment key locally; only the ciphertext is uploaded.

  3. 03

    Decrypt anywhere

    The CLI and service tokens unwrap the same key with their own private key — in CI, a container, or an agent sandbox — and hand plaintext only to your process.

Made for every runtime

Application ENVLocal developmentDocker builds & deploysCI pipelinesKubernetesAI agent sandboxesCLI on any machine

Encrypt something secret.

Spin up the console, or wire the CLI into your pipeline in a few commands.