Stop leaking secrets.
Start locking them.
AES-256-GCM envelope encryption with per-secret data keys. A high-stakes command center built for high-velocity developer workflows.
[DATABASE_URL] ••••••••••••••••••
[JWT_SECRET] ••••••••••••••••••
Infrastructure Secured for the Best
Hardened Infrastructure.
Built for teams that can't afford a single breach.
CLI-first workflow
Seamlessly integrate with your CI/CD pipelines. Automate secret rotation and environment injection without ever leaving the terminal.
Audit Logs
Real-time immutable tracking of every secret access. Who, when, and where—crystal clear visibility for compliance.
Role-based Access
Granular permissions for teams. Group secrets by project and assign roles with pinpoint precision.
Encrypted at rest, end to end
We utilize AES-256-GCM envelope encryption with per-secret data keys. Your secrets are sharded and isolated, never written to disk in plaintext.
Read the security model →Built for the terminal.
Login once. Inject decrypted secrets into anything. Never write to disk.
# Install (macOS / Linux, no sudo) $ curl -fsSL https://locked.sh/install.sh | bash # Authenticate (opens a browser) $ locked login # Link a repo to a project + environment $ locked init # Run anything with secrets injected as env-vars $ locked run -- npm start $ locked run -- rails server $ locked run --env=production -- bundle exec sidekiq
Ready to lock the vault?
Join engineering teams securing their cloud infrastructure with locked.sh — free for personal use, open source for the rest.
Get Started for FreeNo credit card required · Unlimited public repositories