Security That Makes Sense
Your secrets are too important to share over Slack. Keyway brings enterprise-grade encryption to every team, with the simplicity developers actually want to use.
Let's Be Honest About the Real Threat
Most dev teams don't get hacked by sophisticated attackers. They leak secrets through the most mundane channels imaginable.
How secrets actually leak
- xPasted in Slack, searchable forever
- xEmailed to wrong person
- xCommitted to git history
- xLeft in a Google Doc "temporarily"
- xScreenshot in Notion page
How Keyway prevents this
- +One secure channel, always encrypted
- +Access tied to GitHub permissions
- +Nothing to accidentally commit
- +No copy-pasting between apps
- +Pull fresh secrets, never stale docs
How We Protect Your Secrets
We've implemented security best practices so you don't have to. No security degree required.
AES-256-GCM Encryption
The same encryption standard used by banks and governments. Each secret is encrypted with a unique random IV, making brute-force attacks mathematically impossible.
Encrypted at Rest
Secrets are encrypted using AES-256-GCM by a dedicated service isolated from the internet. Database backups contain only encrypted data.
GitHub-Native Access Control
No separate user management to maintain. Access is automatically tied to your GitHub repository permissions. Remove someone from the repo, they lose access to secrets instantly.
TLS 1.3 Everywhere
All data in transit is protected with TLS 1.3, the latest encryption protocol. Your secrets never travel unencrypted, even between our own services.
Isolated Infrastructure
Each customer's data is logically isolated. We run on hardened infrastructure with automatic security updates and 24/7 monitoring.
Privacy-Conscious Analytics
We use PostHog for product analytics, which can be disabled via KEYWAY_DISABLE_TELEMETRY=1. We never track secret values, only usage metadata. No selling data.
Better Than the Alternatives
Compare Keyway to how most teams actually share secrets today.
| Method | Encryption | Access Control | Audit Log | Revocation |
|---|---|---|---|---|
| .env in Slack/Email | None | None | No | Manual hunt |
| 1Password/LastPass | Yes | Manual | Yes | Manual |
| AWS Secrets Manager | Yes | IAM (complex) | Yes | Manual |
| Keyway | AES-256-GCM | GitHub (automatic) | Yes | Automatic |
What We're Building Towards
We believe in transparency. Here's what's done and what's coming.
AES-256-GCM encryption at rest
Built in Go for its audited standard library cryptography. Isolated from the internet, with unique IVs per secret.
GitHub OAuth authentication
No passwords to manage. Access follows your GitHub permissions.
TLS 1.3 for all connections
Latest protocol for data in transit. No exceptions.
Audit logs
Track who accessed what and when. Full activity history per vault.
Security Questions
How is my data protected?
Your secrets are encrypted with AES-256-GCM using a dedicated crypto service isolated from the internet. The encryption keys are stored separately from the encrypted data, minimizing exposure in case of a breach.
What happens if Keyway gets breached?
Attackers would need to compromise both the database and the isolated crypto service to decrypt secrets. We use unique IVs for each secret and authentication tags to detect tampering.
Is this secure enough for production secrets?
Yes, for the vast majority of teams. We use the same encryption standard as banks (AES-256-GCM). If you're a Fortune 500 with specific compliance requirements, you might need more. For everyone else, this is significantly better than Slack or shared docs.
How does access control work?
We verify access through GitHub's API in real-time. If you can push to the repo, you can access its secrets. Remove someone from the repo, and they immediately lose access. No manual revocation needed.
Where is data stored?
Our infrastructure runs on hardened servers with automatic security updates. Encrypted backups are stored in geographically distributed locations. We'll publish more details about our infrastructure as we grow.
Secure Your Secrets in 30 Seconds
Stop sharing .env files over Slack. Start using encryption that actually protects you.