Vaults are containers within a project that store secrets, cryptographic keys, and certificates. They provide an additional layer of organization and access control beyond projects, allowing you to group sensitive resources by purpose, environment, or security level.
Every vault belongs to exactly one project, and all access to secrets, keys, and certificates is evaluated through the vault.
Vaults exist to:
A project can contain multiple vaults, each serving a distinct purpose.
Each vault can store:
All resources within a vault support versioning, expiration tracking, and audit logging.
Access to a vault is determined by:
By default, users who belong to a project can access all vaults in that project, subject to their role permissions.
A restricted vault is a standard vault with an additional access rule enabled. When a vault is marked as restricted, project membership alone is no longer sufficient to access its contents. Only users explicitly added to the restricted vault can view or manage the resources inside it.
Restricted vaults are useful when certain secrets, keys, or certificates require tighter control than the rest of the project.
Restricted vaults do not change how resources are stored or accessed programmatically; they only affect who is allowed to access them.
When accessing a vault, Secryn evaluates permissions in the following order:
This layered approach ensures predictable and secure access behavior.
Vaults are created within a project and persist for the lifetime of that project. Access rules can be modified at any time, and resources within a vault can be added, updated, archived, or restored without affecting the vault itself.
Vaults provide a stable, auditable boundary for managing sensitive data over time.
Vaults are the primary workspace in Secryn. By combining projects, vaults, and restricted access rules, you can design a security model that scales from simple setups to complex, highly controlled environments.