Projects
How projects organize secrets, scope encryption, and control access in SikkerKey.
Projects are the primary organizational unit in SikkerKey. Every secret belongs to exactly one project. Each project has its own encryption key, its own machine memberships, and its own access grants. Compromising one project has zero effect on any other project in your vault.
Creating a Project
In the sidebar, click the + button next to "Projects". You will be asked for:
- Name: a label for the project (e.g. "Production", "Staging", "Internal Tools"). Up to 100 characters.
- Description (optional): context for your team.
When you create a project, a random 32-byte AES-256 master key is generated for that project. This key is stored encrypted and is used to wrap all secret data keys within the project. You don't need to manage this key. Encryption is handled automatically.
Per-Project Isolation
Each project has:
- Its own independently generated master key
- Its own secrets, each with independent per-secret data keys
- Its own machine memberships
- Its own per-secret access grants
- Its own team member permissions
Projects are cryptographically independent. Access to one project reveals nothing about another, even within the same vault.
Project IDs
Every project gets a unique ID in the format proj_ followed by 10 random alphanumeric characters (e.g. proj_8qpkrmp802). This ID is used in API calls, the SDK, and the CLI. You can find it in the project header on the secrets page.
Adding Machines to a Project
A machine registered with your vault does not automatically have access to any project. You must explicitly add it:
- Navigate to the project and open the Machines tab
- Click + Add Machine To Project
- Select the machine from the list
Adding a machine to a project does not give it access to any secrets. It only makes the machine eligible for secret grants within that project.
Granting Secret Access
After a machine is in a project, you must grant it access to specific secrets:
- From the project's Machines tab, click Configure on the machine
- Move secrets from Available to Granted
- Save
A machine can only read secrets it has been explicitly granted. There is no wildcard, no "grant all", and no inheritance. A machine in a "Production" project with access to the database password cannot read the Stripe key in the same project unless you grant it separately.
Team Member Access
Vault owners can add team members to specific projects. Adding a team member to a project gives them full secret management access: view metadata, create, delete, replace, version history, and notes.
The dashboard never displays decrypted secret values. Reading the actual plaintext requires an authenticated machine with a per-secret grant.
Machine permissions are separate and must be explicitly granted:
| Permission | What it allows |
|---|---|
machine_view | See machines in the project |
machine_add | Add their own machines to the project |
machine_remove | Remove machines from the project |
machine_configure | Change which secrets a machine can access |
Permissions are enforced on every operation. Team members are managed from the Teams page via the Permissions modal.
Updating a Project
You can rename a project or update its description from the dashboard. Click the edit icon next to the project name in the sidebar. This does not affect encryption, machine access, or secret data.
Deleting a Project
Deleting a project permanently removes:
- The project itself
- All secrets in the project (encrypted values and data keys)
- All version history for those secrets
- All rotation schedules and managed secret configurations
- All machine-secret access grants for those secrets
- All project-machine memberships
You must type the project name to confirm deletion. This cannot be undone.
Your machines are not deleted from your vault. They remain registered and can be added to other projects. If team members had added their own machines to the project, those machines lose their project membership and secret grants but remain registered in the team member's vault.