Storing secrets

Secrets sit at rest, sealed. The value is encrypted before it leaves your machine. Only ciphertext and public material ever reach Stillvault.

Store from the console or the CLI

You store a secret from the web console or the stillvault CLI. The value is encrypted in your browser, or locally by the CLI, before it is sent. We never see the plaintext.

stillvault seal db/prod/password

The CLI reads the value, encrypts it on your machine, and uploads the ciphertext.

Paths, not names

Every secret is identified by a hierarchical path, such as db/prod/password. The path is how you write policy once and have it cover many secrets at once, instead of configuring each secret by hand.

Policy governs the path

You do not pick approvers per secret. The approval policy attached to the path decides who must countersign a release. To store a secret, the path must be covered by an approval policy first.

See approver groups for how policy and approvers are defined.