Secrets your server
can never read.
seekrit is an end-to-end encrypted, multi-tenant secrets manager on Cloudflare Workers. Encryption keys are generated and used entirely on the client — the backend only ever holds ciphertext.
Built around one rule
Zero-knowledge
Secrets are encrypted in your browser or CLI before they ever leave the machine. The server stores ciphertext and nothing else — a full database dump reveals no secret values.
One key per environment
Every environment has its own AES-256 data key, wrapped individually to each member and service token. Grant or revoke access without touching a deployment.
Everywhere your app runs
Local dev, Docker builds, CI pipelines, Kubernetes, and ephemeral AI-agent sandboxes — one command injects the right environment, decrypted at the edge of your control.
Audited by default
Every read, write, grant, and revocation lands in an append-only trail with actor attribution. Nothing happens to a secret without a record.
How it works
Envelope encryption end to end. The passphrase, private keys, and plaintext secrets never reach the API.
- 01
Create in the browser
Generate a keypair protected by your passphrase, then spin up an org, app, and environment. The environment's data key is born in your tab and wrapped to your public key.
- 02
Encrypt client-side
Add secrets in the web dashboard. Each value is encrypted with the environment key locally; only the ciphertext is uploaded.
- 03
Decrypt anywhere
The CLI and service tokens unwrap the same key with their own private key — in CI, a container, or an agent sandbox — and hand plaintext only to your process.
Made for every runtime
Encrypt something secret.
Spin up the console, or wire the CLI into your pipeline in a few commands.