Secrets & credentials
A secrets manager built into your platform
Secrets shouldn't be a separate vendor. Avoryx includes a zero-knowledge credential manager — encrypted client-side so even we can't read it — with per-record envelope encryption, a recovery key you own, and an opt-in KMS path for CI.
What you get
Purpose-built — and connected to the rest.
The server can't read it
Client-side encryption means the platform stores only ciphertext it cannot decrypt.
One platform, not another vendor
The vault is included with the Enterprise plan, on the same seat as your ops.
- Zero-knowledge, client-side encryption (server holds only ciphertext)
- Per-record envelope encryption; sharing is a single key-wrap
- Time-bound public share links (≤24h, ≤50 views, all probes logged)
- An opt-in KMS path for CI with peppered, IP-allowlisted tokens
Replaces
The tools this replaces
FAQ
Common questions
For teams that want their credential manager inside their ops platform, Avoryx's Vault is zero-knowledge with per-record envelope encryption, a recovery key you own, time-bound share links, and an opt-in KMS path for CI.
More solutions
One platform, every operation
See it on your real numbers.
15 minutes, your stack, your per-seat math — one platform for the whole operation.