Secrets without
the infrastructure.
Store, rotate, and inject secrets into your CI pipelines and Kubernetes clusters — without deploying Vault. Envelope encryption with BYOK. Hosted in the EU at ferrvault.com.
- name: Run tests
run: ferrvault inject -- npm test
env:
FERRVAULT_TOKEN: ${{ secrets.FERRVAULT_TOKEN }}apiVersion: ferrvault.io/v1
kind: SecretBundle
metadata:
name: api-prod
spec:
vault: my-org/api
refresh: 60s Six things,
done well.
We're not trying to replace HashiCorp Vault for your bank. We're making encrypted secrets management feel like a managed Postgres — pick a plan, get a URL, ship.
CLI-native injection
ferrflow secrets inject -- npm test. One command to inject every project secret as env vars in your CI step. No SDK to integrate, no boilerplate.
Native K8s operator
The FerrVault operator syncs your secrets into native Kubernetes Secret resources. Works with any controller, any pod. No app changes required.
Envelope encryption + BYOK
Every secret encrypted with a unique data key, wrapped by your KMS (AWS, GCP, Vault Transit). Bring your own key on Business plans. Compliance-grade by default.
Versioned rotation
ferrvault secrets rotate DB_PASSWORD. Full version history, atomic switchover, automatic re-injection across all consumers. Zero downtime.
Tamper-proof audit log
Every read, write, and rotation logged with cryptographic signatures. Filter by user, secret, IP, project. Export to your SIEM.
EU-hosted, EU-only
ferrvault.com runs in the EU. Encrypted secrets, audit logs, and backups stay within Europe — never replicated elsewhere. SOC 2 in progress.
Plays well with what you already run.
Pricing that scales
with your secrets.
Hosted at ferrvault.com — EU region. Pay per user, not per secret.
See pricing →