Security, by design
Keyway's GitHub-native model eliminates entire classes of vulnerabilities. No separate user management to misconfigure, no secrets copy-pasted into Slack, no .env files left on disk. Access follows your code — if you have repo access, you get secret access.
How Your Secrets Are Protected
Keyway splits encryption into a separate service with no internet access. Even if the API is compromised, your secrets remain encrypted.
Key isolation
The encryption key never touches the API server, the database, or any internet-facing service.
Minimal attack surface
~300 lines of Go using the standard library's audited crypto package. No third-party dependencies.
Self-hostable
Run the crypto service in your own VPC — isolated, air-gapped, fully under your control.
Secrets That Never Touch Disk
keyway run injects secrets as environment variables directly into your process. When the process stops, the secrets disappear.
.env file on disk
- ✗Written to disk in plaintext
- ✗Readable by any process on the machine
- ✗Visible to AI coding assistants as context
- ✗Persists after process stops
- ✗Easy to accidentally commit to git
keyway run
- ✓Injected into process memory only
- ✓Scoped to a single process
- ✓Invisible to AI agents and IDE tools
- ✓Disappears when the process stops
- ✓Nothing to commit — no file exists
$ keyway run -- npm startDefense in Depth
Multiple layers of protection so that no single failure can expose your secrets.
AES-256-GCM Encryption
Every secret is encrypted with a unique random IV and authenticated with a tag that detects tampering. The encryption key lives only in the isolated crypto service — never in the API server or database.
GitHub-Native Access Control
No separate user management. Access mirrors your GitHub repository permissions in real-time. Remove someone from the repo and they instantly lose access to secrets.
TLS 1.3 Everywhere
All connections — CLI to API, API to crypto service, API to database — are encrypted with TLS 1.3. Your secrets never travel unencrypted.
Zero-Trust Mode
keyway run injects secrets as environment variables directly into your process memory. When the process stops, the secrets disappear. Nothing written to disk.
Audit Trail
Every access is logged — who pulled which secrets, when, and from where. Full activity history per vault for compliance and incident response.
Fully Open Source
The entire stack is open source — backend, dashboard, CLI, crypto service, and MCP server. Read the code, audit the implementation, and verify our security claims yourself.
How Keyway Compares
See how Keyway stacks up against other approaches to secrets management.
| Solution | Encryption | Access Control | Zero-Trust | Audit Log | Auto Revocation | Open Source |
|---|---|---|---|---|---|---|
| .env in Slack | None | |||||
| 1Password / LastPass | Manual | |||||
| AWS Secrets Manager | IAM | |||||
| Doppler / Infisical | Custom RBAC | Partial | ||||
| Keyway | GitHub |
Open Source & Transparent
Security should be verifiable, not just promised.
Fully open source
The entire stack is open source on GitHub — backend, dashboard, CLI, crypto service, and MCP server. Read every line of code that handles your secrets.
Fully self-hostable
Run the entire stack on your infrastructure with Docker Compose. Your encryption keys, your servers, your rules.
Transparent threat model
We document what we protect against and what we don't. No security theater — just honest engineering.
Security Questions
How is my data protected?
Secrets are encrypted with AES-256-GCM by an isolated Go crypto service that runs on a private network with no internet access. The encryption key never touches the main API server. Each secret gets a unique random IV and authentication tag for tampering detection.
What happens if Keyway gets breached?
Keyway uses a two-service architecture. The API server handles requests but never sees the encryption key. The crypto service handles encryption but has no internet access. An attacker would need to compromise both services simultaneously to decrypt any secrets.
Is this secure enough for production?
Yes. Keyway uses AES-256-GCM (the same standard used by banks and governments), an isolated cryptography service, real-time GitHub access verification, and TLS 1.3 for all connections. The architecture is designed so that a single point of compromise cannot expose your secrets.
How does access control work?
Access is verified through GitHub's API in real-time. If you can push to the repo, you can access its secrets. Remove someone from the repo, and they immediately lose access. No manual revocation needed — permissions stay in sync automatically.
Where is data stored?
Infrastructure is hosted in the EU on Railway. GDPR-compliant by default. Servers run with automatic security updates and encrypted backups are stored in geographically distributed locations.
Can I self-host Keyway?
Yes. Keyway is fully self-hostable with Docker Compose. Run the entire stack — API, crypto service, dashboard, and database — on your own infrastructure. Your encryption keys never leave your servers. See the self-hosting docs to get started.
Vulnerability Disclosure
Found a vulnerability? Email security@keyway.sh. We'll acknowledge within 48h, provide a timeline within 5 business days, and work with you on a fix. For security incidents affecting customer data, we commit to notifying affected users within 72 hours as required by GDPR.
Secure Your Secrets in 30 Seconds
One command to install, one command to sync. Enterprise-grade encryption from the first secret.