seekrit

Introduction

seekrit is an end-to-end encrypted, multi-tenant secrets manager built on Cloudflare Workers. It stores your API keys, database URLs, and other secrets, and hands them to your applications — in local development, Docker builds, CI, Kubernetes, and AI-agent sandboxes — without the server ever seeing a plaintext value.

Zero-knowledge by design

The defining property of seekrit is that encryption keys are generated and used entirely on the client. When you add a secret in the web dashboard or CLI, it is encrypted in your browser or on your machine before it is uploaded. The API — a Cloudflare Worker backed by D1 — only ever stores ciphertext. A full database dump reveals metadata (names, versions, timestamps) but no secret values.

This is achieved with envelope encryption:

  • Each environment has its own AES-256 data key (DEK).
  • Secrets are encrypted with that DEK.
  • The DEK is wrapped (encrypted) individually to each person or service token that should have access, using their public key.
  • A user's private key is itself encrypted with a passphrase-derived key, so any device can fetch it and unlock it locally — the passphrase never leaves the client.

See Encryption model for the full picture.

The pieces

seekrit is a small monorepo:

  • Web dashboard — create orgs, applications, and environments, and manage secrets with client-side encryption. Sign in with Google or GitHub (via Stytch).
  • CLI (seekrit) — link a project directory to an environment and inject decrypted secrets into any command, or export them as dotenv/json/shell.
  • API — a Hono Worker on Cloudflare with D1 (database) and KV, exposing an org-scoped REST API and an append-only audit trail.

Where to go next