This page summarizes how Krypt encrypts and stores your secrets. For full details on our security practices, infrastructure, and vulnerability disclosure, see krypthq.com/security.Documentation Index
Fetch the complete documentation index at: https://docs.krypthq.com/llms.txt
Use this file to discover all available pages before exploring further.
Encryption at rest
All secrets are encrypted with AES-256-CBC before being stored. Each secret value gets a fresh 16-byte initialization vector (IV). Stored format:Encryption in transit
All communication between the CLI, browser, and Krypt API uses TLS 1.3. HSTS is enforced on all endpoints, preventing downgrade attacks.API key security
API keys are SHA-256 hashed before being stored in the database. The plaintext key is shown only once at creation and is never persisted server-side. If you lose a key, generate a new one — there is no way to recover the original.CLI config security
The CLI stores your API key locally at~/.krypt/config.json with 0600 permissions (owner read/write only). Other users on the same system cannot read your credentials.
Sub-processors
Krypt uses the following third-party services to operate:| Service | Purpose | Region |
|---|---|---|
| Clerk | Authentication | US |
| Supabase | Database | eu-west-1 (Ireland) |
| Stripe | Payments | TBD (not yet configured) |
| Resend | Transactional email | eu-west-1 |
| Railway | Backend hosting | europe-west4 (Amsterdam) |
| Vercel | Frontend hosting | Global edge network |
| Sentry | Error tracking | EU (Frankfurt) |
Clerk processes authentication data in the United States under the EU-US Data Privacy Framework adequacy decision (July 2023). All other sub-processors operate within the EU or on global edge networks.