Secrets Management Without the Enterprise Tax

AWS Secrets Manager, HashiCorp Vault, and Doppler are built for 200-person platform teams. PassCryp is built for the rest of us: indie devs, side projects, 5-person startups who still want their secrets encrypted, audited, and rotatable.

Start your free vault Security model

All your secret types in one vault

API keys, env vars, SSH keys, database URLs, webhook secrets — one searchable encrypted store.

Per-environment isolation

Tag every secret dev / staging / prod. Filter and copy with confidence.

Expiry and rotation tracking

Set a rotation cadence. Get alerts before a secret goes stale in production.

Team sharing with audit

Share a project vault with your team. Every reveal and update is logged.

Zero-knowledge by default

Secrets encrypt on your device with AES-256-GCM. We never see plaintext.

CLI in beta

`passcryp env` reads project secrets into a local shell — no plaintext file on disk.

What lightweight secrets management actually looks like

Heavyweight tools assume a control plane, a network policy, and a platform team to run them. That overhead is fine if you have 50 services and a compliance auditor; it's a waste if you have 3 services and a single CI pipeline.

PassCryp's model is simple: one encrypted vault per project, one team per vault, one set of environment tags. Add a secret, tag it, share it. The vault is the source of truth; the CLI fetches at runtime; the audit log tells you who touched what.

What you give up vs HashiCorp Vault: dynamic credentials, network policy enforcement, pluggable backends. What you gain: setup measured in minutes, not days.

How a typical small team uses PassCryp for secrets

One shared vault per project. Secrets tagged by environment (dev/staging/prod) and grouped by service. Each engineer's machine has the CLI; CI fetches via a project-scoped read-only token.

Rotations happen on a schedule: PassCryp emails the owner 7 days before expiry, the owner rotates upstream (AWS, Stripe), updates the vault, and CI picks up the new value on next deploy. No `.env.prod` file lives on anyone's laptop.

When someone leaves, an admin removes them from the vault. The vault key rotates client-side, their wrapped copy becomes useless, and the audit log shows exactly which secrets they had access to.

When to upgrade to a heavyweight tool

Move to HashiCorp Vault, AWS Secrets Manager, or Doppler when you need dynamic credentials (per-request DB creds), policy-based access enforced at the network layer, or audit logs that satisfy SOC2 Type II. PassCryp covers the long flat middle — the 95% of teams who just need a shared, encrypted, audited place to put secrets.

Frequently asked questions

Is this a HashiCorp Vault replacement?

For small teams, yes. For platform teams managing dynamic credentials at scale, no — Vault has features we don't try to compete with.

Can I use this for production secrets?

Yes. PassCryp uses AES-256-GCM with Argon2id and zero-knowledge architecture. Production secrets encrypt client-side and never sync in plaintext.

How does CI access secrets?

Project-scoped read-only API tokens. CI calls the PassCryp API and receives encrypted values, decrypted with the project key wrapped to the token's public key.

Do you support automatic secret rotation?

Manual rotation today with expiry alerts. Automatic rotation for AWS and Stripe is on the roadmap.

What about Doppler or Infisical?

Both are great if their pricing fits. PassCryp is cheaper at small-team scale and uses the same vault for personal and team secrets.

How do I migrate from a .env file?

`passcryp env import .env --project myapp --env dev` pushes every key into the project vault with the right tag.

Ready to take control of your secrets?

Start a free zero-knowledge vault in under 60 seconds.

Start your free vault