SikkerKey

SikkerKey is a cryptographically signed secrets vault that uses machine identity and Ed25519 keypairs to securely store and manage credentials for applications, machines, and services.

Description

SikkerKey is a secure secrets vault and manager that provides machine-authenticated access to sensitive credentials using asymmetric cryptography. Built on Ed25519 elliptic-curve signatures, each machine generates its own keypair on enrollment, with the private key never leaving the machine. Requests are signed with a combination of method, path, timestamp, nonce, and body hash; timestamps expire after 5 minutes and nonces are single-use, preventing replay attacks. The platform offers access policies that can restrict secret retrieval based on time windows, IP addresses, rate caps, and multi-party approval. It also features AI agent integration that allows agents to manage the vault (e.g., rotate secrets, configure policies) without ever reading plaintext credentials, plus a canary secret that locks the project when read. Native SDKs, a CLI, and a signed HTTPS API support various environments including Node.js, Python, Go, Kubernetes, and CI/CD pipelines.

Features

Asymmetric authentication using Ed25519 elliptic-curve signatures, with private keys never leaving the machine. Signed requests with timestamp (5-minute expiry) and single-use nonces to prevent replay attacks. Access policies with constraints like time windows, IP allowlisting, rate caps, and multi-party approval. AI agent integration for vault management without exposing plaintext secrets. Canary secrets that act as tripwires, locking the project when read. Native SDKs for Node.js, Python, Go, Kotlin/JVM, .NET, PHP; plus CLI and signed HTTPS API. Support for containers (Docker, Podman), orchestration (Kubernetes, Helm, Nomad, OpenShift), edge devices (Raspberry Pi), and CI/CD platforms (GitHub Actions, GitLab CI, Jenkins, etc.).

Benefits

Zero-trust security: secrets are never exposed in plaintext to machines or AI agents; access is gated by cryptographic signatures. Replay-proof requests with time-limited, single-use nonces. Granular access control via customizable policies that can combine multiple constraints. AI agents can perform secret management tasks without risking credential leakage. Cross-platform support: works with virtually any environment where code runs, from servers to edge devices. Canary secrets provide early breach detection by triggering project lockdown on unauthorized access.

Links

Key info
Open Source
European
Hosting Information

Help Build the EuroStack

Know a solution we're missing? Found outdated information? Your contributions make the directory better for everyone.