Secrets & credentials

A secrets manager built into your platform

Secrets shouldn't be a separate vendor. Avoryx includes a zero-knowledge credential manager — encrypted client-side so even we can't read it — with per-record envelope encryption, a recovery key you own, and an opt-in KMS path for CI.

What you get

Purpose-built — and connected to the rest.

The server can't read it

Client-side encryption means the platform stores only ciphertext it cannot decrypt.

One platform, not another vendor

The vault is included with the Enterprise plan, on the same seat as your ops.

  • Zero-knowledge, client-side encryption (server holds only ciphertext)
  • Per-record envelope encryption; sharing is a single key-wrap
  • Time-bound public share links (≤24h, ≤50 views, all probes logged)
  • An opt-in KMS path for CI with peppered, IP-allowlisted tokens
Replaces

The tools this replaces

FAQ

Common questions

For teams that want their credential manager inside their ops platform, Avoryx's Vault is zero-knowledge with per-record envelope encryption, a recovery key you own, time-bound share links, and an opt-in KMS path for CI.

See it on your real numbers.

15 minutes, your stack, your per-seat math — one platform for the whole operation.