cubby

secrets · everywhere · once

One place for every secret. Override per environment.

AES-256-GCM in Postgres, served to External Secrets Operator over HTTP. Layered envs: staging inherits production, overrides only what differs.

what's inside

layered envs

Drop a key on production — staging and preview inherit it for free. Override only what differs; the diff page surfaces drift instantly.

eso native

Per-cluster bearer tokens, last-used staleness tracking, OpenAPI on the bulk + per-key endpoints.

audit trail

AES-256-GCM in Postgres. Every upsert/delete writes a history row with who, when, and what kind.