▓▒░ early development ░▒▓
seekrit
An end-to-end encrypted secrets manager for teams. Orgs, apps, environments, and an audit trail — with keys that never touch the server.
seekrit — zsh
$ seekrit run -- ./start-server
DATABASE_URL=██████████████████████████
STRIPE_KEY=█████████████████
decrypted 2 secrets · acme/storefront/production
server listening on :3000
▸ zero-knowledge
Secrets are encrypted in your browser or CLI before they leave the machine. A full database dump yields ciphertext.
▸ one key per environment
Every environment has its own data key, wrapped per member and per service token. Revoke a grant, not a deployment.
▸ everywhere your app runs
Local dev, docker builds, CI, Kubernetes, ephemeral AI-agent sandboxes — one command injects the right environment.
▸ audited by default
Reads, writes, grants, revocations: every action lands in an append-only trail with actor attribution.
AES-256-GCM per secret · P-256 ECDH + HKDF key wrapping · passphrase-derived key encryption · Cloudflare Workers + D1