AWS Secrets Manager
Push secrets into AWS Secrets Manager. EC2, Lambda, ECS and other workloads read with IAM.
01
Cloud & CI
Cloud and CI/CD platforms with native authentication.
Azure Key Vault
Push secrets into Azure Key Vault. Functions, App Service and AKS workloads read through Azure AD.
On the roadmap
GCP Secret Manager
Push secrets into Google Cloud Secret Manager. Cloud Run, Cloud Build and Vertex AI read with IAM.
Github Actions
Push values into repository, environment and organization secrets. Workflows pick them up automatically.
GitLab Pipelines
Push values into project, group and instance variables. Masking and scoping carry over.
Vercel
Push values into Production, Preview and Development. Branch-scoped values land before the build runs.
Bitbucket Pipelines
Push values into Bitbucket repository and workspace variables. Pipelines pick them up on the next run.
Fly.io
Push secrets to every Fly Machine and region. No more fly secrets set after each rotation.
On the roadmap
02
Containers
Container runtimes and orchestrators.
Kubernetes
Sync into Kubernetes Secrets and ExternalSecrets. Pods refresh through the operator without sidecars.
Available now
Docker
Inject values into Compose, Swarm and standalone containers. Mount as files or env vars via the CLI.
On the roadmap
03
Custom
For platforms without a native integration.
Custom (API)
Build your own destination on the Enkryptify API. Token auth, webhooks on every rotation.
On the roadmap
.env export
Export to .env, .env.production or any custom file shape. For migrating off legacy systems.
Available now
▸How it works
Three steps.
- 01
Connect once
Authenticate the destination with an IAM role, OAuth app, or fine-grained token. Scope it tight to what Enkryptify needs.
- 02
Map an environment
Pick which Enkryptify environment's values to push. The mapping shows up in your audit log.
- 03
Forget about it
Edits and rotations propagate automatically. Your workloads keep reading from the same place they always have.
▸Questions
Q.01What is a sync in Enkryptify?
A.01
A sync is a one-way pipeline that propagates secrets from Enkryptify into an external destination: a cloud provider, a CI/CD platform, a container runtime, or a custom system you build on the API. Enkryptify remains the single source of truth, and the destination always reflects its current state.
Q.02How often do syncs run?
A.02
Syncs run on every change. The moment a secret is updated, rotated, added or revoked in Enkryptify, every active destination is re-synced within seconds. There is no polling interval to configure and no scheduled-job latency to plan around.
Q.03Can I sync the same secret to multiple destinations?
A.03
Yes. A single environment in Enkryptify can fan out to as many destinations as you need. For example, the same database URL can land in GitHub Actions, Vercel, and AWS Secrets Manager simultaneously. Every destination keeps its own scoping rules, so you can ship narrower subsets where appropriate.
Q.04What happens when a secret is rotated?
A.04
Rotation triggers an immediate re-sync to every destination connected to that environment. Workloads that read from the destination (Kubernetes pods, Vercel deployments, GitHub Actions workflows) pick up the new value on their next read or restart, exactly like a manual rotation but propagated automatically.
Q.05Are syncs encrypted in transit?
A.05
Every sync uses TLS 1.3 end-to-end. Authentication to the destination is scoped to the minimum permissions needed (IAM roles for AWS and GCP, fine-grained tokens for GitHub and GitLab, service principals for Azure). No long-lived shared secrets are ever stored in the destination's metadata.
Q.06Does a sync replace the Enkryptify CLI or SDK?
A.06
No, they cover different surfaces. Syncs are for systems that already expect their own secret store (CI/CD, cloud providers). The CLI, SDKs, and IDE integrations are for engineers and AI agents that should never touch a raw value at all. Most teams use both: the CLI for local and agent workflows, syncs for the platforms where the destination is non-negotiable.
Q.07Can I sync to a system that isn't on this list?
A.07
Yes. The Custom (API) destination lets you build a sync against anything that exposes an HTTP endpoint: internal platforms, in-house secret stores, or third-party services we haven't shipped a native integration for yet. Webhook events fire on every rotation so your code can react in real time.
Q.08Is there an audit log for syncs?
A.08
Every sync (initial push, rotation update, scope change, failure) is captured in the immutable audit log alongside human and agent reads. You can replay exactly which value reached which destination at which timestamp, which is the basis for ISO 27001, SOC 2, and GDPR evidence requests.
Q.09What if I need a destination that isn't built yet?
A.09
Drop the team a line at contact@enkryptify.com with the platform name and your use case. Several of the integrations on this page started as a customer request. In the meantime, the Custom (API) destination or the .env export can usually bridge the gap immediately.