▓▒░ early development ░▒▓

seekrit

An end-to-end encrypted secrets manager for teams. Orgs, apps, environments, and an audit trail — with keys that never touch the server.

seekrit — zsh
$ seekrit run -- ./start-server
DATABASE_URL=██████████████████████████
STRIPE_KEY=█████████████████
decrypted 2 secrets · acme/storefront/production
server listening on :3000

zero-knowledge

Secrets are encrypted in your browser or CLI before they leave the machine. A full database dump yields ciphertext.

one key per environment

Every environment has its own data key, wrapped per member and per service token. Revoke a grant, not a deployment.

everywhere your app runs

Local dev, docker builds, CI, Kubernetes, ephemeral AI-agent sandboxes — one command injects the right environment.

audited by default

Reads, writes, grants, revocations: every action lands in an append-only trail with actor attribution.

AES-256-GCM per secret · P-256 ECDH + HKDF key wrapping · passphrase-derived key encryption · Cloudflare Workers + D1