VaultKey is the first secrets management platform built on fully homomorphic encryption. Store API keys, credentials, and secrets in an encrypted vault. Sign, authenticate, derive, and decrypt through proxy execution — the secret never leaves.
Your API keys are in .env files, CI/CD variables, Kubernetes secrets, and hardcoded in source. Every copy is a breach waiting to happen. Traditional vaults still decrypt secrets into memory on your server — the attack surface just moves.
The average engineering team has secrets in 6+ locations: .env files, CI/CD variables, Kubernetes secrets, cloud IAM, config files, and source code. Each copy is an independent breach vector. VaultKey replaces all of them with one encrypted vault.
Existing secrets managers retrieve the secret and hand it to your application in plaintext. The secret lives in your server's memory. A memory dump, side-channel attack, or root compromise exposes it. VaultKey never decrypts on your infrastructure.
Rotating a secret means updating every service, CI/CD pipeline, and config file that references it. Most teams don't rotate because the blast radius of a mistake is production downtime. VaultKey auto-rotates with zero downstream changes.
VaultKey uses H33's BFV fully homomorphic encryption to store secrets in encrypted form. When your application needs to sign a request, authenticate to an API, or decrypt data, VaultKey performs the operation inside the vault and returns only the result. The secret material is never transmitted, never decrypted on your infrastructure, never exposed.
SDKs for Python, Node.js, Go, Java, and .NET. GitHub Actions action, Kubernetes operator, and Terraform provider. OAuth 2.0 + HMAC-SHA256 API keys. All responses include Dilithium post-quantum signatures.
Encrypt and store an API key, credential, signing key, or arbitrary secret. Client-side encryption with configurable rotation policy.
Retrieve metadata (creation date, rotation schedule, last used, access count) without decrypting the secret itself. Zero exposure.
Cryptographic destruction of key material. Returns ZK proof of erasure. The ciphertext becomes permanently unrecoverable.
The hot path. Submit a payload and secret reference. VaultKey signs inside the vault and returns the signature. The signing key never leaves.
Make an authenticated HTTP request through VaultKey. The credential is injected from the vault. Your server never sees the API key, token, or password.
Authenticate to a third-party service using stored credentials. Supports OAuth, API key header, Basic auth, and custom schemes.
Derive encryption keys, HMAC keys, or session tokens from a stored master secret. The master secret never leaves the vault.
Decrypt data using a stored key. Submit ciphertext, receive plaintext. The decryption key itself remains encrypted in the vault.
Trigger immediate rotation for a secret. Generates new key material, updates all proxy references atomically. Zero-downtime rotation.
Configure auto-rotation schedules. Daily, weekly, monthly, or custom intervals. Rotation triggers webhook notification to your monitoring.
Scan a Git repository, CI/CD config, or Kubernetes manifests for hardcoded secrets. Returns migration plan with VaultKey references to replace each finding.
Chain-hashed, tamper-evident log of every secret access, proxy execution, and rotation event. Paginated, filtered, exportable as signed PDF.
Independently verifiable proof that a proxy execution was performed correctly without accessing the raw secret. Compliance-ready.
Configure alerts for anomalous access patterns, failed proxy executions, rotation failures, and secret expiration. Webhook, Slack, PagerDuty.
Real-time service health, proxy execution throughput, and secret utilization metrics. P50/P95/P99 latency breakdowns.
Start with 100 secrets for free. Scale to enterprise with dedicated infrastructure and custom SLAs. Every tier includes post-quantum encryption, audit logging, and ZK-STARK proofs.
VaultKey is designed to protect secrets against root compromise, memory dumps, side-channel attacks, and insider threats. The cryptographic architecture means a full breach of our infrastructure exposes zero plaintext secrets.
Full root access to VaultKey infrastructure exposes only FHE ciphertext. Without the client's private key, the encrypted secrets are computationally inaccessible. There is nothing to exfiltrate.
Secrets are never decrypted into memory on VaultKey servers. Proxy execution operates on encrypted data using homomorphic operations. Memory dumps, core dumps, and swap files contain only ciphertext.
All secrets are protected by CRYSTALS-Kyber key encapsulation and Dilithium signatures. Harvest-now-decrypt-later attacks against VaultKey are futile. Your secrets are safe against future quantum computers.
Audit observation period initiated at General Availability. Report available for vendor due diligence. Full audit trail with ZK-STARK proofs on every operation.
VaultKey operators cannot access stored secrets. There is no admin override, no master key, no backdoor. If the client's key is lost, the secrets are permanently unrecoverable. By design.
Every proxy execution generates a ZK-STARK proof of correct operation. Immutable audit logs are chain-hashed and tamper-evident. Exportable for SOC 2, ISO 27001, and PCI DSS evidence packages.
VaultKey stores your API keys, credentials, and secrets encrypted with BFV fully homomorphic encryption. When your application needs to use a secret — to sign a request, authenticate to a third-party API, or decrypt data — VaultKey performs the operation inside the encrypted vault through proxy execution. The secret never leaves the vault in plaintext. Your application receives the result (a signed request, an authenticated session, decrypted data) without ever handling the raw credential material.
Proxy execution means VaultKey performs cryptographic operations on behalf of your application without exposing the underlying secret material. Instead of retrieving a secret and using it locally, your application sends the operation to VaultKey's proxy endpoint. VaultKey executes the operation inside the FHE-encrypted vault — signing requests, generating HMAC tokens, authenticating API calls — and returns only the result. The secret never touches your server, your container, your CI/CD runner, or any infrastructure you manage.
VaultKey replaces hardcoded secrets in CI/CD pipelines with proxy execution calls. Instead of injecting AWS_SECRET_ACCESS_KEY or DATABASE_URL as environment variables in GitHub Actions, your pipeline calls VaultKey's proxy endpoint. The secret is never written to a runner's environment, never logged in build output, and never stored in GitHub's secrets store in plaintext form. Even if a build runner is compromised or build logs are leaked, no secret material is exposed. A GitHub Actions integration is available for drop-in setup.
VaultKey provides a fundamentally different security model. HashiCorp Vault and AWS Secrets Manager store secrets encrypted at rest but decrypt them when your application retrieves them — the secret exists in plaintext in your application's memory. VaultKey never exposes the plaintext secret to your application at all. Proxy execution means the secret stays encrypted and operations are performed inside the vault. For teams wanting the strongest possible secret protection, VaultKey is an upgrade. For teams with existing Vault deployments, VaultKey can wrap Vault as an additional security layer.
The proxy HTTP request endpoint lets your application make authenticated API calls to third-party services without possessing the credentials. You send VaultKey the target URL, HTTP method, headers, and body. VaultKey injects the stored credential — API key, bearer token, or HMAC signature — into the request inside the encrypted vault, forwards the authenticated request to the target service, and returns the response to your application. Your infrastructure never sees the credential used to authenticate the outbound request.
Nothing is exposed. If your server is fully compromised — root access, memory dump, full disk image — the attacker finds zero plaintext secrets because secrets never exist on your server in any form. VaultKey's proxy execution model means secrets are used inside H33's FHE-encrypted vault, and only operation results transit to your infrastructure. Even if H33's own infrastructure is breached, attackers obtain only BFV ciphertext indistinguishable from random noise. This is a fundamentally different security posture from retrieve-and-use secret managers.
VaultKey supports policy-based automatic rotation for supported secret types. You define a rotation schedule (30 days, 90 days, or custom), and VaultKey generates a new secret value, updates the encrypted vault, and begins using the new credential for all proxy execution calls. Your application code requires zero changes during rotation because it never directly handles the secret. Rotation events are logged with Dilithium-signed audit entries. Manual rotation is also available via API for immediate credential cycling after an incident.
The Developer free tier includes 100 encrypted secrets, 10,000 proxy executions per month, and full API access with no time limit. It is designed for individual developers and small projects to replace .env files and hardcoded credentials with real encrypted secrets management. The free tier uses the same FHE encryption and proxy execution security model as paid tiers — no security downgrade. No credit card is required to start. You can upgrade to the Team or Enterprise tier when you need more secrets, higher volumes, or team features.
VaultKey provides a Kubernetes sidecar container and a CSI driver for seamless integration. The sidecar intercepts outbound API calls from your pods and routes them through VaultKey's proxy execution endpoint, injecting credentials without exposing them as Kubernetes Secrets or environment variables. The CSI driver mounts encrypted secret references as volumes. Both methods ensure that secrets never exist in plaintext in your cluster — not in etcd, not in pod specs, not in container environment variables, and not in container memory.
VaultKey supports API keys, bearer tokens, OAuth client credentials, database connection strings, TLS certificates and private keys, SSH keys, HMAC signing keys, AWS IAM credentials, GCP service account keys, Azure service principal secrets, Stripe API keys, Twilio credentials, and arbitrary key-value secrets. Each secret type has optimized proxy execution handlers. For example, AWS credentials are used to sign SigV4 requests inside the vault, and TLS private keys are used for mTLS handshakes without the key ever leaving the encrypted vault.
Start free with 100 secrets. Replace your first .env file in 30 minutes. No credit card required. Upgrade when you're ready.