Cratopus icon
Launch Console

Secrets Security Architecture

Crate Secrets is built on a zero-knowledge, defense-in-depth architecture. We assume the network is hostile and ensure that your secrets are protected both in transit and at rest using industry-standard cryptography (AES-256-GCM and RSA-OAEP).

3-Tier Key Hierarchy

Your secrets are encrypted at rest using a sophisticated multi-layer key hierarchy:

graph TD
    A[KMS Master Key<br/>versioned] --> B(Organization DEK<br/>per-org, AES-256)
    B --> C(Secret DEK<br/>per-secret, AES-256)
    C --> D(Secret Value<br/>AES-GCM encrypted)
  1. Secret DEK (Data Encryption Key): Every individual secret gets a unique, randomly generated 32-byte AES key. The secret value is encrypted using AES-GCM with this key.
  2. Organization DEK: The Secret DEK is then encrypted using your Organization’s DEK. This ensures that even if the database is compromised, the secrets are useless without the Org DEK.
  3. KMS Master Key: The Organization DEK is encrypted by a global Master Key managed by a Hardware Security Module (HSM) Key Management Service (KMS).

Sealed Transport (Storing Secrets)

When you run crate secrets set, Crate ensures your plaintext secret never traverses the network.

  1. The CLI fetches your Organization’s public RSA key.
  2. The CLI encrypts the plaintext secret locally using RSA-OAEP with SHA-256.
  3. The CLI sends the ciphertext to the server (sealed=true).
  4. The server decrypts the value using the Organization’s private key (which is decrypted in memory using the KMS Master Key) and proceeds to store it using the 3-tier AES hierarchy.

The Crate API actively rejects unsealed plaintext secrets. You cannot bypass the sealed transport requirement.

Secure Retrieval

When fetching secrets via crate secrets fetch or crate run, we use an ephemeral key exchange to prevent interception by proxies or network sniffers.

  1. The Crate CLI generates a temporary, ephemeral RSA key pair on your machine.
  2. It sends the public key to the Crate server.
  3. The server bundles your requested secrets, generates a transient 32-byte AES key, and encrypts the bundle.
  4. The server encrypts the transient AES key with your temporary RSA public key.
  5. The CLI receives the response, decrypts the AES key using its ephemeral private key, and unseals the bundle.

Key Rotation

Crate automatically manages key rotation at multiple levels without requiring any downtime or manual intervention from users.

  • Master Key Rotation: Our security team periodically rotates the global KMS Master Key. The system seamlessly decrypts and re-encrypts all Organization DEKs with the new Master Key version.
  • Organization Key Rotation: Organization DEKs can be rotated on demand. When this occurs, all Secret DEKs belonging to the organization are seamlessly re-encrypted with the new Org DEK.

Audit Logging

Every operation performed on a secret—whether it is stored, retrieved, or deleted—generates an immutable audit log entry. These logs include the actor, the environment, and the timestamp, allowing you to monitor secret access across your organization.

Note: Access to these logs is available if you have the Crate Audit Logging module enabled.