Secrets & Config
Management Platform
Teams Trust
Stop scattering API keys in .env files. SECRR gives engineering teams a single, encrypted source of truth — deployable on your own infrastructure or as a managed SaaS. Every secret versioned. Every access logged. Nothing left to chance.
No credit card required · Self-host for free · SaaS plans available
Everything You Need to
Manage Secrets at Scale
Built for engineering teams who need a self-hosted, open-core alternative to manage sensitive configuration across environments.
AES-256-GCM Encryption
Keys never touch the DB
Every secret is encrypted at rest using AES-256-GCM. Encryption keys are managed separately and never persisted alongside the data they protect.
Secret Versioning
Immutable history
Every change creates an immutable version. Roll back to any previous state with one click. Full audit trail of who changed what and when.
Fine-Grained RBAC
4-tier role system
Admin, DevOps, Developer, Viewer roles — each scoped per organization and project. Grant the minimum access each team member needs, nothing more.
Environment-Based Secrets
Dev · Staging · Production
Organize secrets by environment with per-environment access controls. Developers can see staging; only CI/CD can touch production. Enforced, not just promised.
Service Tokens
Scoped & expiring
Generate scoped, short-lived machine tokens for CI/CD pipelines, Docker agents, and Kubernetes operators. Rotate without touching your app code.
Docker Agent
Zero-disk injection
Lightweight Go agent pulls secrets and injects them into container environments at runtime. Writes .env files locally only when required — never stored in images.
Self-Hosted First
One docker compose up
Run everything with a single docker compose up. Your secrets stay on your infrastructure. No data leaves your network.
Kubernetes Operator
Native K8s Secrets sync
SecrrSecret CRDs sync directly into native Kubernetes Secrets. Zero manual secret management. Rotations propagate automatically across all pods.
REST API & SDKs
OpenAPI documented
Full REST API with OpenAPI docs. Language SDKs and CLI for developer workflows. Integrate secret injection directly into your deployment pipelines.
Built for
Security-First Teams
SECRR is the source of truth for your secrets. No local overrides in production. Every access is logged, every change is versioned, every secret is encrypted — giving your team the confidence to move fast without breaking compliance.
- End-to-end encryption at rest
- Full audit trail for every access and mutation
- Bulk import/export — env, JSON, YAML
- Organization & project-level scoping
- ETag-based change detection for zero-diff agent pulls
- Secret folders for logical grouping
- Email invitations with role assignment
- Automatic database migrations
How It Works
SECRR Server
Docker Agent
K8s Operator
REST API
Your Apps
Run It Your Way
Self-host on your own infrastructure or let us manage it. No vendor lock-in either way.
Self-Hosted
Deploy on your own servers, VPC, or bare metal. Your data never leaves your network. Ideal for compliance-heavy industries and teams with strict data residency requirements.
- docker compose up in under 2 minutes
- Full feature access, no telemetry
- Automatic database migrations
- Works air-gapped — no external calls required
- Community support via GitHub
Managed SaaS
We run it, you use it. Hosted on hardened cloud infrastructure with SOC-2-aligned controls, automated backups, and 99.9% uptime SLA. Zero ops burden for your team.
- Start in seconds — no infra setup
- Automated backups & patch management
- 99.9% uptime SLA
- Priority support with SLA-backed response
- Migrate to self-hosted anytime — no lock-in
Built on a Modern, Auditable Stack
No black boxes. Inspect, extend, and deploy with confidence.
Stop Trusting Secrets to .env Files
Give your team a single encrypted source of truth. Self-host in minutes or use our managed cloud. No credit card required to start.
Self-hosted · Open-core · No vendor lock-in