Six things,
done well.
We're not trying to replace HashiCorp Vault for your bank. We're making encrypted secrets management feel like a managed Postgres — pick a plan, get a URL, ship.
CLI-native injection
ferrvault exec -- npm test. One command to inject every project secret as env vars in your CI step. No SDK to integrate, no boilerplate.
Native K8s operator
The FerrVault operator syncs your secrets into native Kubernetes Secret resources. Works with any controller, any pod. No app changes required.
Envelope encryption + BYOK
Every secret encrypted with a unique data key, wrapped by your KMS (AWS, GCP, Vault Transit). Bring your own key on Business plans. Compliance-grade by default.
Versioned rotation
ferrvault secrets rotate DB_PASSWORD. Full version history, atomic switchover, automatic re-injection across all consumers. Zero downtime.
Full audit log
Every read, write, and rotation is logged. Filter by user, secret, IP, project. Export to your SIEM. Tamper-evident export is on the roadmap.
EU-hosted, EU-only
ferrvault.com runs in the EU. Encrypted secrets, audit logs, and backups stay within Europe — never replicated elsewhere. SOC 2 in progress.