Lightweight secrets management for teams that can't use SaaS.
On-premise. Air-gapped ready. Single binary. No Vault admin required.
| Vault | Doppler | Keyorix | |
|---|---|---|---|
| On-premise | Yes | No | Yes |
| Air-gapped | Yes | No | Yes |
| Simple ops | No | Yes | Yes |
| EU company | No | No | Yes |
| Open source | BSL | No | AGPL |
| Single binary | Yes | N/A | Yes |
Vault is powerful but requires a dedicated admin. Doppler is simple but SaaS-only. Keyorix is both simple and runs entirely in your infrastructure.
curl -L https://raw.githubusercontent.com/keyorixhq/keyorix/main/install.sh | shOr build from source:
git clone https://github.com/keyorixhq/keyorix
cd keyorix && make installSelf-host the full stack (web UI + API + PostgreSQL) with Docker Compose:
cp .env.example .env # set KEYORIX_DB_PASSWORD, KEYORIX_MASTER_PASSWORD, admin creds
docker compose up -d # open http://localhost:8088See docs/SELF_HOSTING.md for production setup (TLS,
backups, upgrades, and the all-important encryption-key handling), and
docs/CONFIGURATION.md for the full keyorix.yaml
reference (encryption/KEK providers, MFA, WebAuthn, dynamic secrets, OIDC, …).
Or start just the server binary:
KEYORIX_MASTER_PASSWORD=yourpassword keyorix-serverConnect the CLI:
keyorix connect http://localhost:8080 --username admin --password yourpasswordCreate and use secrets:
keyorix secret create --name db-password --value supersecret
keyorix run --env production -- node app.js
keyorix run --env production -- flask run
keyorix run --env production -- ./myappSecrets are injected as environment variables. db-password becomes DB_PASSWORD.
# From Vault (Medusa YAML export)
keyorix secret import --file vault-export.yaml --format vault --env 1
# From .env files
keyorix secret import --file .env --format dotenv --env 1
# Preview before importing
keyorix secret import --file vault-export.yaml --format vault --env 1 --dry-runFetch secrets directly from your application at startup. Zero hardcoded credentials.
Go
go get github.com/keyorixhq/keyorix-gotoken, _ := keyorix.Login(ctx, "http://your-server:8080", "admin", "password")
client := keyorix.New("http://your-server:8080", token)
dbPassword, _ := client.GetSecret(ctx, "db-password", "production")Python
pip install keyorixtoken = keyorix.login("http://your-server:8080", "admin", "password")
client = keyorix.Client("http://your-server:8080", token)
db_password = client.get_secret("db-password", "production")Node.js
npm install keyorixconst token = await keyorix.login("http://your-server:8080", "admin", "password");
const client = new keyorix.Client("http://your-server:8080", token);
const dbPassword = await client.getSecret("db-password", "production");See example apps for full working demos with Docker Compose.
Secrets management
- Create, read, update, delete secrets with full versioning
- Environment separation: development, staging, production
- Secret sharing between users and groups
Access control
- Role-based access control (RBAC)
- Group-based permissions
- Service tokens for CI/CD and automation
Audit and compliance
- Every access logged: who, what, when, from where
- Two audit layers:
audit_eventsandsecret_access_logs - NIS2 / DORA alignment for European compliance requirements
- Dashboard expiry alerts for secrets approaching rotation deadlines
Developer experience
keyorix run— inject secrets into any processkeyorix secret import— migrate from Vault, .env files, JSONkeyorix connect— single command server authentication- Web dashboard for teams who prefer a UI
Single binary. HTTP REST API on port 8080. Web UI on port 3000.
SQLite for development and small teams. PostgreSQL for production.
Air-gapped deployment: copy the binary and run. No internet required.
- AES-256-GCM encryption for all secret values
- Envelope encryption: passphrase → PBKDF2 → KEK (memory only) → wrapped DEK
- Constant-time token comparison (timing attack prevention)
- Secrets never logged or exposed in error messages
Security issues: security@keyorix.com
- Kubernetes service account authentication
- Dynamic secrets — credentials generated on-demand with TTL
- MCP server — AI assistant integration
- Java SDK
- Access anomaly detection (NIS2 incident detection)
AGPL-3.0. Commercial licensing available for enterprise deployments.
Contact: hello@keyorix.com
Built by Andrei Beshkov, ex-Microsoft Security PM, Valencia, Spain.
Keyorix SL — your data stays in your infrastructure.