Skip to main content
DigitalSanctum.
INTERNAL TOOL

Sanctum Vault

Secure credential and secret management for infrastructure, API keys, and service accounts. Sovereign secrets — never stored on third-party platforms.

View Platform Discuss Your Needs All Products
Section 01

Encrypted Storage

All secrets are encrypted at rest using AES-256-GCM with application-layer key derivation. Neither the storage layer nor the filesystem can read plaintext without authorisation.

  • AES-256-GCM encryption at rest with unique per-secret keys
  • Key derivation via Argon2id from master passphrase
  • Encrypted backups with separate backup keys
  • Tamper-evident audit log of all secret access

Sovereignty Angle

Your encryption keys are derived from your own passphrase — we never hold the keys to your secrets. Zero third-party KMS, zero cloud HSM dependency.

Section 02

API Key Management

Provision, rotate, and revoke API keys and service account credentials with a single interface. Auto-generate cryptographically random tokens with scoped permissions.

  • Cryptographically random key generation (256-bit)
  • Per-key permission scoping and expiry dates
  • One-click rotation with zero-downtime propagation
  • Usage logging and anomaly detection

Sovereignty Angle

No third-party secrets manager stores your API keys. Every key is generated, stored, and validated on your own infrastructure — full data sovereignty.

Section 03

Access Control

Fine-grained role-based access control governs who can read, write, rotate, or delete each secret. Integrates with existing OIDC providers for seamless authentication.

  • Role-based access control (admin, operator, read-only)
  • OIDC and SAML SSO integration
  • Per-secret and per-folder permission inheritance
  • Granular audit trail with user attribution

Sovereignty Angle

Your access policy is defined in code and enforced on your own infrastructure. No third-party identity provider holds the keys to your secrets.

Section 04

Zero Third-Party Dependency

The entire vault runs on your own metal — no external secret management APIs, no cloud KMS, no SaaS backends. If your network is up, your vault is accessible.

  • Self-contained deployment with no external API calls
  • No dependency on AWS KMS, HashiCorp Cloud, or 1Password
  • SQLite-backed storage for zero infrastructure overhead
  • Full air-gap deployment capability

Sovereignty Angle

When every dependency is eliminated, the attack surface is your own. No third-party breach can expose your secrets — because there are no third parties.

We build these tools for clients too.

Start a Conversation