CipherStash Docs

Secrets

End-to-end encrypted secret storage and management

Secrets

CipherStash Secrets provides end-to-end encrypted secret storage. Values are encrypted locally before being sent to the CipherStash API — your plaintext secrets never leave your application.

What you get

  • End-to-end encryption — Secrets are encrypted on the client before transmission.
  • SDK and CLI — Manage secrets programmatically or from the terminal.
  • Environment scoping — Organize secrets by environment (production, staging, development), each backed by its own Key Set in ZeroKMS for cryptographic isolation.
  • Bulk retrieval — Fetch and decrypt multiple secrets in a single call.
  • Workspace isolation — Each workspace has its own isolated vault.
  • Zero-trust architecture — CipherStash never sees your plaintext secrets.

How it works

  1. The SDK encrypts secrets locally using @cipherstash/stack.
  2. Encrypted values are sent to the CipherStash API.
  3. CipherStash stores them in your workspace's isolated vault.
  4. On retrieval, the encrypted value is fetched and decrypted locally.

Only you can decrypt your secrets — CipherStash never has access to plaintext values. Each workspace has its own isolated vault, and each environment within a workspace uses its own Key Set in ZeroKMS for cryptographic isolation. This is the same Key Set primitive that powers multi-tenant encryption — a secret encrypted in one environment can never be decrypted with keys from another.

Next steps

Getting started

Store and retrieve your first encrypted secret.

Concepts

Workspaces, environments, clients, and API keys.

SDK reference

Full programmatic API for managing secrets.

CLI reference

Manage secrets from the terminal with the stash CLI.

Getting started

Store and retrieve your first encrypted secret

On this page

SecretsWhat you getHow it worksNext steps