Six features

Six things,
done well.

We're not trying to replace HashiCorp Vault for your bank. We're making encrypted secrets management feel like a managed Postgres — pick a plan, get a URL, ship.

№ 01

CLI-native injection

ferrvault exec -- npm test. One command to inject every project secret as env vars in your CI step. No SDK to integrate, no boilerplate.

№ 02

Native K8s operator

The FerrVault operator syncs your secrets into native Kubernetes Secret resources. Works with any controller, any pod. No app changes required.

№ 03

Envelope encryption + BYOK

Every secret encrypted with a unique data key, wrapped by your KMS (AWS, GCP, Vault Transit). Bring your own key on Business plans. Compliance-grade by default.

№ 04

Versioned rotation

ferrvault secrets rotate DB_PASSWORD. Full version history, atomic switchover, automatic re-injection across all consumers. Zero downtime.

№ 05

Full audit log

Every read, write, and rotation is logged. Filter by user, secret, IP, project. Export to your SIEM. Tamper-evident export is on the roadmap.

№ 06

EU-hosted, EU-only

ferrvault.com runs in the EU. Encrypted secrets, audit logs, and backups stay within Europe — never replicated elsewhere. SOC 2 in progress.