SikkerKey
SikkerKey is a cryptographically signed secrets vault that uses machine identity and Ed25519 keypairs to securely store and manage credentials for applications, machines, and services.
Description
SikkerKey is a secure secrets vault and manager that provides machine-authenticated access to sensitive credentials using asymmetric cryptography. Built on Ed25519 elliptic-curve signatures, each machine generates its own keypair on enrollment, with the private key never leaving the machine. Requests are signed with a combination of method, path, timestamp, nonce, and body hash; timestamps expire after 5 minutes and nonces are single-use, preventing replay attacks. The platform offers access policies that can restrict secret retrieval based on time windows, IP addresses, rate caps, and multi-party approval. It also features AI agent integration that allows agents to manage the vault (e.g., rotate secrets, configure policies) without ever reading plaintext credentials, plus a canary secret that locks the project when read. Native SDKs, a CLI, and a signed HTTPS API support various environments including Node.js, Python, Go, Kubernetes, and CI/CD pipelines.
Features
Asymmetric authentication using Ed25519 elliptic-curve signatures, with private keys never leaving the machine. Signed requests with timestamp (5-minute expiry) and single-use nonces to prevent replay attacks. Access policies with constraints like time windows, IP allowlisting, rate caps, and multi-party approval. AI agent integration for vault management without exposing plaintext secrets. Canary secrets that act as tripwires, locking the project when read. Native SDKs for Node.js, Python, Go, Kotlin/JVM, .NET, PHP; plus CLI and signed HTTPS API. Support for containers (Docker, Podman), orchestration (Kubernetes, Helm, Nomad, OpenShift), edge devices (Raspberry Pi), and CI/CD platforms (GitHub Actions, GitLab CI, Jenkins, etc.).
Benefits
Zero-trust security: secrets are never exposed in plaintext to machines or AI agents; access is gated by cryptographic signatures. Replay-proof requests with time-limited, single-use nonces. Granular access control via customizable policies that can combine multiple constraints. AI agents can perform secret management tasks without risking credential leakage. Cross-platform support: works with virtually any environment where code runs, from servers to edge devices. Canary secrets provide early breach detection by triggering project lockdown on unauthorized access.
Links
- Home: https://sikkerkey.com