Zero-knowledge architecture

Passwords and secrets.
Zero knowledge.
One platform.

The only platform where the server is structurally incapable of reading your data — built for teams and developers.

Start freeLearn more
securekee.app/vault
My Vault4 items
G
GitHub
dev@company.com
••••••
A
AWS Console
admin@org
••••••
S
Stripe
sk_live_•••••••••
••••••
N
Notion
team@startup.io
••••••
— zsh
securekee run --project myapp --env prod -- node server.js
✓ 14 secrets loaded
✓ Zero-knowledge mode active
✓ Server never saw plaintext
Server listening on :3000
AES-256-GCM
Encryption
PBKDF2
Key derivation
ECDH P-256
Machine access
Zero-knowledge
Architecture
AES-256Military-grade encryption
ZeroData breaches
99.9%Uptime SLA
OpenCryptographic design

Two products. One platform.

Everything your team needs, nothing they don't.

Password Vault

Zero-knowledge credential management for individuals and teams. Every item encrypted on-device before it ever leaves your browser.

  • AES-256-GCM encryption
  • PBKDF2-SHA256 key derivation
  • Browser autofill extension
  • iOS & Android apps
  • Zero-knowledge team sharing
  • MFA & SSO support
WebChromeFirefoxiOSAndroid
New

Developer Secrets

Projects → Environments → Secrets hierarchy. ECDH machine identities — the server returns only ciphertext, never plaintext secrets.

  • securekee run -- <cmd>
  • Node.js & Python SDKs
  • GitHub Actions (ZK-native)
  • ECDH machine identities
  • Rotation policies + webhooks
  • Secret versioning & audit
CLINode SDKPython SDKGitHub ActionsDocker

The zero-knowledge difference

We structurally cannot read your data.

Not a privacy policy. Not a promise. A cryptographic guarantee built into every layer of the architecture.

Doppler, Infisical, and HashiCorp Vault all return plaintext secrets from their servers to machines. SecureKee's ECDH architecture makes this physically impossible.

01

Encrypted on your device

Your master password never leaves your machine. Encryption runs locally using AES-256-GCM, derived via PBKDF2-SHA256 with 600,000 iterations.

02

Only ciphertext reaches us

We store only encrypted blobs. Our servers hold no keys, no backdoors, and have no cryptographic path to your plaintext data.

03

Decrypted only by you

Your browser or app decrypts on-device. CI machines use ECDH keypairs — the server returns encrypted project keys the CLI decrypts locally.

AES-256-GCM · PBKDF2-SHA256 · ECDH P-256 · Open-source cryptographic implementations

Works everywhere

Every platform your team uses.

Web App
Full vault & secrets UI
Chrome
Autofill extension
Firefox
Autofill extension
iOS
Native app
Android
Native app
CLI
securekee run --
Node.js SDK
@securekee/sdk
Python SDK
securekee-python
GitHub Actions
secrets-action@v1
Docker
Container injection
Kubernetes
K8s operator
REST API
Machine endpoint

Built for developers

Secrets in your workflow.

Inject secrets into any process, fetch them in code, or sync them to GitHub Actions — without the server ever receiving plaintext values.

CLI injects env vars into any process with zero config
SDKs for Node.js and Python with full TypeScript types
GitHub Action — only 2 values needed in GitHub Secrets
Every machine read logged: identity, timestamp, and IP
# Inject all secrets as env vars — zero-knowledge
securekee run \
--project myapp --env prod \
-- node server.js
  Loading secrets for myapp/prod
  14 secrets injected into environment
  Zero-knowledge — server saw only ciphertext
Server listening on :3000
Enterprise

See everything. Read nothing.

Monitor privileged sessions across sensitive applications — in real time. Screenshots are encrypted client-side with RSA-2048 before they leave the browser. Not even SecureKee servers can view them.

Live session shadowing
Watch active sessions in real-time from the admin dashboard. See exactly what users see — without disrupting their workflow.
Zero-knowledge screenshots
Every screenshot is AES-256-GCM encrypted in the browser, wrapped with your RSA-2048 key. The server stores ciphertext it can never read.
Full session playback
Scrub through recorded sessions with a complete event timeline — page loads, navigation, clicks, and form activity.
Real-time event stream
Every navigation, click, and page load streams to your dashboard via SignalR. Spot suspicious activity the moment it happens.
Per-application control
Enable monitoring on specific applications. Toggle it on for AWS Console, off for Slack — granular control per target domain.

Enterprise plan  ·  Per-application control  ·  End-to-end encrypted  ·  Real-time SignalR streaming

How we compare

The only truly zero-knowledge secrets manager.

FeatureDopplerInfisicalHCP Vault
SecureKee
Server can read secrets
Machine zero-knowledge access
Client-side decryption (always)
Built-in password vault
Browser extension & mobile app
Self-hostable
CLI tool
GitHub Actions integration
Open-source cryptography
Encrypted session monitoring

Partial support  ·  Based on public documentation as of 2026

Security by design

Paranoid about security? So are we.

AES-256-GCM
Industry-standard symmetric encryption for all vault and secrets data
PBKDF2-SHA256
600,000 iterations — industry-recommended key derivation from master passwords
ECDH P-256
Elliptic-curve key exchange enabling zero-knowledge machine access
Self-hostable
Deploy on your own infrastructure for complete data sovereignty
Open crypto
All cryptographic implementations are auditable and publicly documented
Zero-knowledge
The server stores ciphertext only — structurally incapable of decryption

Start building
securely today.

Free forever for individuals. 14-day trial for teams.
No credit card required.

Get started — it's freeRead the docs