Introduction

Secryn is a fully self-hosted secret, key, and certificate management platform designed for teams that want complete control over their sensitive data. It provides a secure, centralized way to store, retrieve, version, and manage credentials, cryptographic material, and configuration values across projects and environments—without relying on third-party cloud services.

Secryn uses application-level encryption with secure key handling to protect sensitive data at rest, alongside RBAC, audit logs, HTTPS in transit, and self-hosted deployment control.

What Secryn Does

Secryn helps you:

• store and organize secrets, keys, and certificates in isolated vaults
• group vaults under projects to match your systems or organization
• control access using role-based permissions and restricted vaults
• retrieve items programmatically using a vault-scoped access key
• track changes with full version history and restore points
• automate expiration reminders and digest notifications
• integrate with external systems or AI agents through the API or MCP server
• self-host all data on your infrastructure

The goal is a simple, predictable workflow for security-sensitive teams without the operational overhead of heavy enterprise tools.

Core Concepts

Before installing or using Secryn, understand these primary components:

• Projects – logical groupings containing vaults and their associated users.
• Vaults – containers for secrets, keys, and certificates. Each vault has its own access key for API access.
• Restricted Vaults – vaults that limit access to explicitly added users, even if they belong to the parent project.
• Secrets – secure values such as API keys, tokens, or configuration strings, fully versioned with history.
• Keys – RSA or EC key pairs used for signing, encryption, and cryptographic operations.
• Certificates – uploaded or self-signed certificates with expiration tracking and optional public URLs.
• Users & Roles – access is controlled through project membership and roles (Admin, Project Manager, Contributor, Read-Only).
• API Access – every vault exposes API endpoints that allow fetching secrets, keys, and certificates using a vault access key.
• MCP Server – an optional integration layer enabling AI agents to securely retrieve data from Secryn.

How Secryn Is Deployed

Secryn is fully self-hosted and can run on:

• Docker
• Spin Pro (Server-side up)
• Bare-metal Linux servers
• Any environment that supports PHP, MySQL/PostgreSQL equivalents, and Redis

No data leaves your infrastructure.

The built-in Installation Wizard guides you through:

• environment configuration
• database setup
• SMTP setup
• admin user creation
• optional MCP server initialization
• system checks and first-run tasks

Who Secryn Is For

Secryn is ideal for:

• teams managing sensitive credentials or cryptographic material
• organizations requiring full data ownership
• self-hosted or air-gapped deployments
• developers who need predictable APIs and strong RBAC
• teams replacing spreadsheets, environment files, or ad-hoc secret stores
• infrastructure engineers needing a lightweight but robust vault solution

What's Next

Continue to the next section to install and configure Secryn:

• Installation
• Setup Wizard
• First Steps
• Updating Secryn