Secrets

Single-value secrets in SikkerKey -- storing, replacing, rotating, and managing access.

A secret is a single encrypted value stored inside a project. API keys, passwords, connection strings, tokens -- anything that fits in one string.

Each secret has its own random AES-256 data key, which is wrapped by the project's master key. The secret ID is bound to the ciphertext as Additional Authenticated Data (AAD), preventing encrypted blobs from being swapped between secrets.

For secrets with multiple related values (like database credentials with host, username, and password), use a Structured Secret instead. For credentials that SikkerKey should push to an external database automatically, use a Managed Secret.

Secret IDs

Every secret gets a unique ID in the format sk_ followed by 10 random alphanumeric characters (e.g. sk_1b13qr1sb2). This ID is used in API calls, the SDK, the CLI, and machine access grants.

Creating a Secret

From the secrets page, click + New Secret and select Secret.

Enter a name and a value. Optionally add a note for context.

Reading a Secret

Secrets are read by authenticated machines via the SDK or CLI. The dashboard never displays decrypted values.

val apiKey = sk.getSecret("sk_stripe_key")

apiKey, err := sk.GetSecret("sk_stripe_key")

api_key = sk.get_secret("sk_stripe_key")

sikkerkey get sk_stripe_key

Replacing a Value

Click a secret to expand it, then click Replace value. Enter the new value and confirm.

Replacing a value:

  • Encrypts with a new random data key
  • Increments the version number
  • Saves the previous version to version history

Machines receive the new value on their next read.

Rotating a Value

Click Rotate on a secret to generate a new random value server-side. You can configure the length and charset.

Available charsets: symbols (default), alphanumeric, numbers, uuid.

Every rotation creates a new version and is audit-logged as secret_rotate.

Automatic Rotation

When creating a secret, you can check Enable automatic rotation to have SikkerKey generate a new value on a schedule. When enabled:

  • The value is auto-generated (you don't provide one)
  • You configure the rotation interval (minimum 5 minutes), generated length, and charset
  • The secret rotates automatically in the background
  • Manual replace and rotate are disabled while rotation is active

From the secrets list, expanding a rotating secret shows the schedule editor. You can pause, resume, or change the interval at any time.

Notes

Each secret has an optional plaintext note. Notes are not encrypted. Use them for context about what the secret is for or when it was last rotated externally.

Editing a note does not create a new version.

Version History

Every replace or rotation preserves the previous encrypted value. Click Version history to see all versions with timestamps.

You can restore any previous version. Restoring creates a new version entry, so rollbacks are themselves versioned.

Version retention is based on your subscription plan. Older versions are pruned automatically.

Deleting a Secret

Click Delete on a secret. This moves it to trash:

  • Machine access grants are removed immediately
  • Rotation schedules are cancelled
  • The secret remains recoverable from the trash for 30 days
  • After 30 days, it is permanently deleted

Machine Access

A machine can only read a secret if all of the following are true:

  1. The machine is registered, approved, and enabled
  2. The vault owner's account is active
  3. The machine is added to the secret's project
  4. The machine has an explicit grant to that specific secret
  5. The request includes a valid Ed25519 signature

There is no wildcard access. Adding a machine to a project does not give it access to any secrets. Each secret must be granted individually from the project's Machines tab via the Configure button.

What the Dashboard Shows

The secrets list displays metadata only:

  • Secret name and ID
  • Secret type indicator
  • Rotation indicator (if automatic rotation is enabled)
  • Version number
  • Number of machines with access
  • Last read time (from audit log)
  • Note
  • Created and updated timestamps

The dashboard never displays decrypted secret values. Secrets are read exclusively by authenticated machines via the SDK or CLI.