Shared Vault
A team vault for your production secrets, included with every Starter and Pro plan. Every teammate gets their own passphrase. The database only sees ciphertext.
Every team has that one Slack thread with the API keys in it. You know the one. The Shared Vault is how you stop adding to it.
It is a team wide encrypted store for your environment variables, built into
spky cloud. Nobody shares a master password. Nobody pastes secrets into a
CI log. Nobody has to guess which .env was the right one.
Your passphrase stays with you
Each teammate picks their own passphrase the first time they touch the vault. It never leaves your machine. The CLI runs it through Argon2id locally and only sends the derived key to the server, so even we cannot recover your passphrase if you lose it.
Under the hood, every tenant has an RSA-4096 keypair and a shared encryption key. Each member carries their own encrypted copy of that key, unlocked by their own passphrase. Adding a teammate is a one command invite. Removing a teammate deletes their copy instantly.
Secrets encrypted at rest
When you set a variable, it is encrypted with the tenant's public key using RSA-4096 plus AES-256-GCM, then stored in the database. If someone walks off with a Postgres dump, they walk off with ciphertext.
One honest caveat: decryption happens on the server at request time, so this is encryption at rest, not strict end to end. If you need "not even the platform can read it," see the comparison below, because that is not what sp00ky's vault promises.
It knows your deploys
Your sp00ky.yml can reference vault variables directly. Run
spky cloud deploy and the right secrets land in the right service with
no copy paste. Rotate one value with spky cloud env set and the next
deploy picks it up.
Forgot your passphrase? Any admin can approve a reset from the CLI. Left the company? Your copy of the key is deleted, your API keys are revoked, and the rest of the team carries on without re encrypting anything.
How it stacks up
sp00ky's vault is scoped on purpose: secrets for your sp00ky app, managed by the CLI you already use. Here is where it sits next to the dedicated tools.
| What you want to do | sp00ky | Doppler | Infisical | 1Password | HashiCorp Vault |
|---|---|---|---|---|---|
| Add encrypted env vars without a separate service | ✓ | ✕ | ✕ | ✕ | ✕ |
| Each teammate uses their own passphrase | ✓ | ~ | ~ | ✓ | ✓ |
| Secrets wired into your deploy pipeline out of the box | ✓ | ✓ | ✓ | ~ | ~ |
| True end to end: the platform never sees plaintext | ✕ | ✕ | ~ | ✓ | ✕ |
| Central secret management across many apps and clouds | ✕ | ✓ | ✓ | ✓ | ✓ |
| Hardware backed root of trust (HSM, KMS, dynamic secrets) | ✕ | ~ | ~ | ~ | ✓ |
| ✓ first class · ~ possible, with effort or caveats · ✕ not a goal | |||||
When to pick something else
If you need secrets across half a dozen apps, clouds, and vendors, pick a real secret manager. HashiCorp Vault is the serious answer for dynamic secrets and HSM backed trust. Doppler and Infisical are great if you want a dedicated product that spans many projects. 1Password is the move if strict end to end encryption is the point.
sp00ky's vault is the right call when you want your sp00ky app's production secrets
handled properly, per teammate, with no extra subscription and no extra dashboard to
remember your password for. For anything bigger, point your sp00ky.yml
at the grown up vault and we will happily fetch from it. We will not be offended.
Ready to build something amazing?
Full docs, install guide, and API reference — all in one place.
Read the docs