Introduction
seekrit is an end-to-end encrypted, multi-tenant secrets manager built on Cloudflare Workers. It stores your API keys, database URLs, and other secrets, and hands them to your applications — in local development, Docker builds, CI, Kubernetes, and AI-agent sandboxes — without the server ever seeing a plaintext value.
Zero-knowledge by design
The defining property of seekrit is that encryption keys are generated and used entirely on the client. When you add a secret in the web dashboard or CLI, it is encrypted in your browser or on your machine before it is uploaded. The API — a Cloudflare Worker backed by D1 — only ever stores ciphertext. A full database dump reveals metadata (names, versions, timestamps) but no secret values.
This is achieved with envelope encryption:
- Each environment has its own AES-256 data key (DEK).
- Secrets are encrypted with that DEK.
- The DEK is wrapped (encrypted) individually to each person or service token that should have access, using their public key.
- A user's private key is itself encrypted with a passphrase-derived key, so any device can fetch it and unlock it locally — the passphrase never leaves the client.
See Encryption model for the full picture.
The pieces
seekrit is a small monorepo:
- Web dashboard — create orgs, applications, and environments, and manage secrets with client-side encryption. Sign in with Google or GitHub (via Stytch).
- CLI (
seekrit) — link a project directory to an environment and inject decrypted secrets into any command, or export them asdotenv/json/shell. - API — a Hono Worker on Cloudflare with D1 (database) and KV, exposing an org-scoped REST API and an append-only audit trail.