# Enkryptify: Secrets that defend themselves

> The secrets platform that stores your API keys, database passwords and cloud credentials, rotates them automatically on a schedule and rotates or revokes them the moment they leak. Built for teams and AI agents.

Enkryptify is a secret management platform. It stores every API key, database password and cloud credential in one encrypted vault, rotates them on a schedule and shuts them down the instant something looks wrong. It is built for teams and AI agents, EU-based in Ghent (Belgium), ISO 27001 certified, GDPR compliant and open source.

## Secrets that defend themselves

Store every API key, database password and cloud credential in one vault. Enkryptify rotates them on a schedule and shuts them down the instant something looks wrong.

- No credit card required to start.
- ISO 27001 certified (see the Trust Center).
- Open source clients (CLI, SDK and tooling).

Primary actions:

- Start now: create an account at https://app.enkryptify.com
- How it works: https://docs.enkryptify.com/getting-started

Used by ByteFlies, Bizzy, Exhibitly, Aristotl, Hyperfox, EquiManage and RevOnc.

## Up and running in minutes

Enkryptify works locally through a CLI and in the dashboard. Create an account, then install the CLI for your platform and run your app through it so secrets are injected at runtime. A 57 second product demo video walks through the dashboard.

Install commands by platform:

- macOS: `brew install enkryptify/enkryptify/enkryptify`
- Windows (scoop): add the bucket once, then install:
  - `scoop bucket add enkryptify https://github.com/Enkryptify/scoop-enkryptify.git`
  - `scoop install enkryptify`
- Linux: `curl -fsSL https://raw.githubusercontent.com/Enkryptify/cli/refs/heads/main/install.sh | bash`

- Create an account: https://app.enkryptify.com
- CLI and getting started docs: https://docs.enkryptify.com/getting-started

## They all had a security team

Supply-chain attacks, leaked keys, stolen source. Every one started with a credential that still worked. That is the part we kill.

Recent disclosures from the last ~12 months:

| Incident | Date | What happened |
| --- | --- | --- |
| Mini Shai-Hulud | May 2026 | 373 malicious package versions across 169 npm packages stole CI/CD secrets via installation hooks. |
| Bitwarden CLI | Apr 2026 | Malicious CLI release stole developer tokens and could self-propagate. |
| Checkmarx KICS | Apr 2026 | KICS images and extensions were trojanized to harvest developer secrets. |
| Namastex Labs | Apr 2026 | Self-spreading package worm stole auth tokens across npm and PyPI paths. |
| Vercel | Apr 2026 | OAuth token compromise. Access through stolen Google Workspace credentials. |
| axios | Mar 2026 | Maintainer hijacked. Remote access trojan shipped to millions. |
| Cisco | Mar 2026 | Source code stolen through a compromised dev environment. |
| Telnyx | Mar 2026 | Backdoored Python SDK dropped WAV-hidden credential stealer. |
| LiteLLM | Mar 2026 | Stolen publishing credentials. Malicious packages published to PyPI. |
| GlassWorm | Mar 2026 | Credential stealer hit GitHub, npm, VSCode and OpenVSX components. |
| Shai-Hulud 2.0 | Nov 2025 | Second-wave npm worm stole secrets and backdoored packages. |
| xAI | Jul 2025 | Private API key leaked to a public GitHub repo. |

## Your secrets, always on watch

Storing a secret is the easy part. Enkryptify keeps working after that. It rotates on schedule, watches the keys attackers want and acts before a leak becomes a breach.

### 01. Rotate, on a schedule

Keys rotate automatically across Postgres, OpenAI, Anthropic, Resend and 10+ more providers. No tickets, no downtime, no human in the loop.

### 02. Watch, for trouble

Leaked keys, unusual access or a poisoned package in your supply chain. Enkryptify keeps eyes on the credentials that actually get stolen.

### 03. Contain, before it spreads

The moment something looks wrong, the affected secrets are rotated or revoked automatically. The stolen value is dead before anyone can use it.

## Benefits

### 01. Trust that scales with your team

Onboard developers, freelancers and agencies with the same access as your lead engineers: scoped, audited and revocable in one click. No shared logins, no credentials living on someone's laptop.

### 02. Let your agents ship

Cursor, Claude Code, Codex and other agents get scoped access to the secrets they need to run and test their own code, without you ever pasting a key into a prompt.

### 03. One source of truth

No more `.env` files on laptops. No more pasted tokens in Slack DMs. No more stale copies in Notion, no more secrets in Jira tickets. The value lives in the vault and nowhere else.

### 04. Instant setup

Migrate your secrets to Enkryptify. Install the CLI. Run your app with the CLI and your secrets are injected at runtime. No big refactor, no new paradigm. You can even start without any code changes.

## Integrations

Works with the tools you already use. Connect your cloud providers, CI/CD pipelines and dev tools in minutes. Enkryptify syncs and rotates across all of them, so you never push a key by hand again.

External integrations:

- 1Password
- AWS Secrets Manager
- Azure Key Vault
- GCP Secret Manager
- Github Actions
- GitLab Pipelines
- Vercel
- Bitbucket Pipelines
- Fly.io
- Supabase

Kubernetes and Docker:

- Kubernetes
- Docker

Custom integrations:

- Custom (API)
- .env export

See all syncs: https://enkryptify.com/syncs

## Security: certified, encrypted, European

We do not ask you to trust us. Independently audited, open to inspection.

- ISO/IEC 27001: independently audited and certified.
- Open source clients: CLI, SDK and tooling you can read line by line.
- Secured by Aikido: continuous third party security monitoring.
- EU residency: hosted in Germany, under GDPR.
- AES-256 encrypted at rest, TLS 1.3 in transit.

Trust Center: https://trust.enkryptify.com

## Get started: from zero to automated

The runbook, in four steps:

1. Create vault and add secrets. Sign in with Google or Microsoft, then paste your secrets, drag in a `.env` file or import from AWS, GCP and a dozen others. No credit card.
2. Read secrets from the environment. Replace hardcoded keys with `process.env.STRIPE_API_KEY`. The CLI injects the real value at runtime, so raw secrets never touch your repo.
3. Install the CLI. Four commands: install, log in, set up, run. Your app still boots the way it always did and no secrets land on disk.
4. Connect cloud and CI/CD. Wire Enkryptify into AWS, Azure, GCP, Vercel or GitHub Actions. From there, syncing and rotation run on their own.

Example CLI session:

```bash
brew install enkryptify/enkryptify/enkryptify
ek login
ek setup
ek run -- npm run dev
```

## Links

- Homepage: https://enkryptify.com
- Pricing: https://enkryptify.com/pricing
- All syncs and integrations: https://enkryptify.com/syncs
- Getting started and CLI docs: https://docs.enkryptify.com/getting-started
- Quickstart: https://docs.enkryptify.com/quickstart
- Sign up / create an account: https://app.enkryptify.com
- Trust Center (ISO 27001, security posture): https://trust.enkryptify.com
- Open source on GitHub: https://github.com/Enkryptify