# Push secrets to the rest of your stack

> Connect Enkryptify to AWS, GitHub Actions, Vercel, Kubernetes and the rest of your stack. Edit a secret in Enkryptify and it propagates to every connected destination.

Connect Enkryptify to AWS, GitHub Actions, Vercel, Kubernetes and the rest of your stack. Edit a secret in Enkryptify and it propagates to every connected destination.

A sync is a one-way pipeline that propagates secrets from Enkryptify into an external destination: a cloud provider, a CI/CD platform, a container runtime or a custom system you build on the API. Enkryptify remains the single source of truth and the destination always reflects its current state.

## Sync directory

Integrations that push secrets from Enkryptify into the platforms you already run. A docs link is shown only when public docs exist. Integrations without docs are still in scope (`Available now`) or planned (`On the roadmap`).

### 01. Cloud & CI

Cloud and CI/CD platforms with native authentication.

| Provider | What it does | Status |
| --- | --- | --- |
| 1Password | Sync secrets from 1Password vaults. Teams keep one source of truth while Enkryptify controls access. | Available now, [docs](https://docs.enkryptify.com/sync/native/1password) |
| AWS Secrets Manager | Push secrets into AWS Secrets Manager. EC2, Lambda, ECS and other workloads read with IAM. | Available now, [docs](https://docs.enkryptify.com/sync/native/aws-secrets-manager) |
| Azure Key Vault | Push secrets into Azure Key Vault. Functions, App Service and AKS workloads read through Azure AD. | Available now, [docs](https://docs.enkryptify.com/sync/native/azure-key-vault) |
| GCP Secret Manager | Push secrets into Google Cloud Secret Manager. Cloud Run, Cloud Build and Vertex AI read with IAM. | Available now, [docs](https://docs.enkryptify.com/sync/native/gcp) |
| Github Actions | Push values into repository, environment and organization secrets. Workflows pick them up automatically. | Available now, [docs](https://docs.enkryptify.com/sync/native/github) |
| GitLab Pipelines | Push values into project, group and instance variables. Masking and scoping carry over. | Available now, [docs](https://docs.enkryptify.com/sync/native/gitlab) |
| Vercel | Push values into Production, Preview and Development. Branch-scoped values land before the build runs. | Available now, [docs](https://docs.enkryptify.com/sync/native/vercel) |
| Bitbucket Pipelines | Push values into Bitbucket repository and workspace variables. Pipelines pick them up on the next run. | Available now, [docs](https://docs.enkryptify.com/sync/native/bitbucket) |
| Fly.io | Push secrets to every Fly Machine and region. No more `fly secrets set` after each rotation. | Available now, [docs](https://docs.enkryptify.com/sync/native/flyio) |
| Supabase | Push secrets into Supabase project settings. Edge Functions and services read fresh values. | Available now, [docs](https://docs.enkryptify.com/sync/native/supabase) |

### 02. Containers

Container runtimes and orchestrators.

| Provider | What it does | Status |
| --- | --- | --- |
| Kubernetes | Sync into Kubernetes Secrets and ExternalSecrets. Pods refresh through the operator without sidecars. | Available now |
| Docker | Inject values into Compose, Swarm and standalone containers. Mount as files or env vars via the CLI. | On the roadmap |

### 03. Custom

For platforms without a native integration.

| Provider | What it does | Status |
| --- | --- | --- |
| Custom (API) | Build your own destination on the Enkryptify API. Token auth, webhooks on every rotation. | On the roadmap |
| .env export | Export to `.env`, `.env.production` or any custom file shape. For migrating off legacy systems. | Available now |

## How it works

Three steps.

1. **Connect once.** Authenticate the destination with an IAM role, OAuth app or fine-grained token. Scope it tight to what Enkryptify needs.
2. **Map an environment.** Pick which Enkryptify environment's values to push. The mapping shows up in your audit log.
3. **Forget about it.** Edits and rotations propagate automatically. Your workloads keep reading from the same place they always have.

## FAQ

### What is a sync in Enkryptify?

A sync is a one-way pipeline that propagates secrets from Enkryptify into an external destination: a cloud provider, a CI/CD platform, a container runtime or a custom system you build on the API. Enkryptify remains the single source of truth and the destination always reflects its current state.

### How often do syncs run?

Syncs run on every change. The moment a secret is updated, rotated, added or revoked in Enkryptify, every active destination is re-synced within seconds. There is no polling interval to configure and no scheduled-job latency to plan around.

### Can I sync the same secret to multiple destinations?

Yes. A single environment in Enkryptify can fan out to as many destinations as you need. For example, the same database URL can land in GitHub Actions, Vercel and AWS Secrets Manager simultaneously. Every destination keeps its own scoping rules, so you can ship narrower subsets where appropriate.

### What happens when a secret is rotated?

Rotation triggers an immediate re-sync to every destination connected to that environment. Workloads that read from the destination (Kubernetes pods, Vercel deployments, GitHub Actions workflows) pick up the new value on their next read or restart, exactly like a manual rotation but propagated automatically.

### Are syncs encrypted in transit?

Every sync uses TLS 1.3 end-to-end. Authentication to the destination is scoped to the minimum permissions needed (IAM roles for AWS and GCP, fine-grained tokens for GitHub and GitLab, service principals for Azure). No long-lived shared secrets are ever stored in the destination's metadata.

### Does a sync replace the Enkryptify CLI or SDK?

No, they cover different surfaces. Syncs are for systems that already expect their own secret store (CI/CD, cloud providers). The CLI, SDKs and IDE integrations are for engineers and AI agents that should never touch a raw value at all. Most teams use both: the CLI for local and agent workflows, syncs for the platforms where the destination is non-negotiable.

### Can I sync to a system that isn't on this list?

Yes. The Custom (API) destination lets you build a sync against anything that exposes an HTTP endpoint: internal platforms, in-house secret stores or third-party services we haven't shipped a native integration for yet. Webhook events fire on every rotation so your code can react in real time.

### Is there an audit log for syncs?

Every sync (initial push, rotation update, scope change, failure) is captured in the immutable audit log alongside human and agent reads. You can replay exactly which value reached which destination at which timestamp, which is the basis for ISO 27001, SOC 2 and GDPR evidence requests.

### What if I need a destination that isn't built yet?

Drop the team a line at contact@enkryptify.com with the platform name and your use case. Several of the integrations on this page started as a customer request. In the meantime, the Custom (API) destination or the .env export can usually bridge the gap immediately.

## Links

- This page: https://enkryptify.com/syncs
- Sync docs: https://docs.enkryptify.com/sync
- Pricing: https://enkryptify.com/pricing
- Request a sync or destination: https://enkryptify.com/contact
- Contact: contact@enkryptify.com
- Sign up: https://app.enkryptify.com