Cratopus icon
Launch Console

Crate Secrets

Crate Secrets is a secure, environment-aware secrets management module built directly into the Crate platform. It provides a centralized vault to securely store, retrieve, and inject sensitive information like API keys, database credentials, and tokens across your infrastructure.

Core Concepts

Organization-Scoped

All secrets belong to your Organization. Access is strictly controlled through Role-Based Access Control (RBAC), requiring an Admin role to manage or access secrets.

Environment Partitioning

Secrets are strictly partitioned by environment (dev, staging, prod). A secret named DATABASE_URL in dev is completely isolated from DATABASE_URL in prod.

  • By default, operations target the dev environment.
  • You can explicitly target other environments using the --env flag via the CLI or the env parameter in the API.

Zero-Knowledge Encryption

Your secrets are protected by a sophisticated 3-tier encryption architecture featuring AES-256-GCM encryption at rest and RSA-OAEP sealed transport. Crate never sees your plaintext secrets in transit when storing them.

Secret Tagging

Secrets can be assigned tags (e.g., backend, database, frontend) when they are created or updated. This allows you to categorize secrets and fetch only the ones needed for a specific service, reducing the surface area of exposed credentials.

Learn more in the Security Deep Dive.

Getting Started

To use Crate Secrets, ensure your Organization’s subscription includes the Secrets Manager module.

1. Authenticate

Ensure you are logged into the Crate CLI with the correct organization selected:

crate login
crate session org set <organization-id>

2. Store a Secret

Use the CLI to securely store a secret. The CLI automatically encrypts the value locally before sending it to the server.

crate secrets set STRIPE_API_KEY sk_test_12345 --env dev

3. Inject Secrets

The easiest way to use secrets locally or in CI/CD is by injecting them directly into your application’s environment:

crate run --env dev --tags backend -- npm run start

This command securely fetches all dev secrets tagged with backend and exposes them as environment variables to the npm run start process.

Next Steps

  • CLI Reference: Explore all available CLI commands.
  • API Reference: Integrate secrets programmatically via our REST or gRPC APIs.
  • Security: Understand the encryption model and key rotation.