Stop Sending
Secrets in Plain Text
Over _
End-to-End Post-Quantum encrypted secrets for Humans and Machines.
Identity-to-identity encryption with zero-password OIDC, domain-verified organizations, RBAC, and per-secret policies — stored only in your own S3 bucket. We never see your secrets.
Platform Features
Identity-to-identity encryption with zero-password OIDC authentication, domain-verified organizations, and per-secret policies. Built for humans, service accounts, CI/CD pipelines, and AI agents.
ML-KEM-768 Post-Quantum
NIST FIPS 203 lattice-based key encapsulation with X25519 hybrid mode for defense against quantum and classical attacks
Identity-to-Identity Encryption
Every secret encrypted from sender identity to recipient identity. Private keys never leave the client device
AES-256-GCM
Authenticated encryption with integrity protection. Client-side encryption before any data leaves your device
Two-Step Key Registration
Key pairs generated locally, only public keys sent to server. Server never sees or generates private keys
Hierarchical RBAC
Four roles: owner, admin, team_manager, actor. Embedded in short-lived session tokens for stateless enforcement
Per-Secret Policies
TTL expiration, ephemeral burn-after-read, IP locking (CIDR), and geo-fencing per secret. Adjustable by sender after creation
Organization Policies
Account-wide IP allowlists, session IP binding, and issuer restrictions. All must pass on every request
Zero-Password OIDC
No passwords, ever. Humans authenticate via Google OIDC with verified domain email. Token exchange with JWT claim matching
Workload Identity Federation
First-class service accounts for GitHub Actions, Kubernetes, AWS, GCP, and any OIDC-compliant issuer
Domain-Verified Organizations
DNS TXT record verification ties accounts to domains. Human actors must use verified domain email
Cross-Account Sharing
Send secrets to identities in other organizations via public key lookup. Visibility controls protect internal identities
Versioned Revisions
Sequential revision numbering with optimistic locking. Only the sender identity can create new revisions
Ephemeral Secrets
Burn-after-read with configurable max reads. Single-revision by design. Object deleted on exhaustion
TTL Expiration
Time-limited secrets with automatic status transition and background garbage collection of encrypted objects
Mutable Policies
Sender can extend TTL, increase max reads, or adjust IP/geo restrictions after creation. All changes audited
CLI-First (ds verb noun)
Native CLI with ds auth login, ds enc sec, ds dec sec, ds list secrets. Multi-org support via --org flag
Bring Your Own Bucket
S3, GCS, R2, Azure Blob, MinIO. Encrypted data stored in your own bucket via presigned URLs. We only hold metadata
Configurable Storage Providers
Multiple providers per account. Active provider for writes, locked providers for reads. Credential rotation without downtime
Immutable Audit Log
Append-only trail of all auth, encryption, decryption, policy, and admin events with IP, actor, and identity context
Per-Actor Rate Limiting
Rate limits on all operations with tier-based multipliers (1x, 5x, 20x). Headers on every API response
Tier-Based Retention
Audit log retention from 30 days (Free) to 1 year (Team) to custom (Enterprise). Configurable per account tier
Built for the
Post-Quantum Era
Every secret is encrypted identity-to-identity using ML-KEM-768 hybrid post-quantum cryptography. Private keys never leave the client. Per-recipient encryption prevents lateral exposure, enables revocation, and supports ephemeral, time-limited, IP-locked, and geo-fenced secrets.
No passwords, ever. All authentication flows through OIDC token exchange from trusted external issuers — Google for humans, workload identity federation for CI/CD, Kubernetes, and cloud workloads. Domain-verified organizations with hierarchical RBAC enforce who can do what.
Encrypted data is stored in your own S3-compatible bucket via presigned URLs — we only hold metadata, never ciphertext. With X25519 + ML-KEM-768 hybrid key exchange, defend against HNDL (Harvest Now, Decrypt Later) attacks today.
ML-KEM-768 Post-Quantum
NIST FIPS 203 standardized lattice-based key encapsulation combined with X25519 for hybrid post-quantum key exchange.
AES-256-GCM
Authenticated encryption with 256-bit keys. Built-in integrity protection prevents silent corruption of ciphertext.
Zero-Password OIDC Auth
No passwords in the system. Humans authenticate via Google OIDC. Machines via workload identity federation from any OIDC-compliant issuer.
Domain-Verified Organizations
Accounts are tied to a verified domain via DNS TXT record. Human actors must authenticate with an email under the verified domain.
Per-Secret Policies
TTL expiration, ephemeral burn-after-read, IP locking, and geo-fencing. All enforced server-side. Adjustable by sender after creation.
Hierarchical RBAC
Four-tier role model: owner, admin, team_manager, actor. Roles embedded in short-lived session tokens for stateless enforcement.
Immutable Audit Log
Append-only log of all authentication, encryption, decryption, and policy events. Every action is tracked with IP, actor, and identity context.
Client-Side Encryption
All encryption and key generation happens on your device. Private keys never leave the client. Ciphertext stored in your own cloud bucket.
Cross-Account Sharing
Send secrets to identities in other organizations via public key lookup. Visibility controls prevent discovery of internal infrastructure identities.
ML-KEM-768 Post-Quantum
NIST FIPS 203 standardized lattice-based key encapsulation combined with X25519 for hybrid post-quantum key exchange.
AES-256-GCM
Authenticated encryption with 256-bit keys. Built-in integrity protection prevents silent corruption of ciphertext.
Zero-Password OIDC Auth
No passwords in the system. Humans authenticate via Google OIDC. Machines via workload identity federation from any OIDC-compliant issuer.
Domain-Verified Organizations
Accounts are tied to a verified domain via DNS TXT record. Human actors must authenticate with an email under the verified domain.
Per-Secret Policies
TTL expiration, ephemeral burn-after-read, IP locking, and geo-fencing. All enforced server-side. Adjustable by sender after creation.
Hierarchical RBAC
Four-tier role model: owner, admin, team_manager, actor. Roles embedded in short-lived session tokens for stateless enforcement.
Immutable Audit Log
Append-only log of all authentication, encryption, decryption, and policy events. Every action is tracked with IP, actor, and identity context.
Client-Side Encryption
All encryption and key generation happens on your device. Private keys never leave the client. Ciphertext stored in your own cloud bucket.
Cross-Account Sharing
Send secrets to identities in other organizations via public key lookup. Visibility controls prevent discovery of internal infrastructure identities.
How We Compare
Zero-Password, Identity-to-Identity Encryption with Post-Quantum Cryptography for Humans, Machines and AI Agents.
Unlike vault-based systems, DeepSecret encrypts each secret from sender identity to recipient identity, with zero-password OIDC authentication, domain-verified organizations, and per-secret policies.
| Feature | DeepSecret | 1Password | LastPass | Bitwarden | Doppler | Vault | PrivateBin |
|---|---|---|---|---|---|---|---|
| CLI-First | Yes (ds verb noun) | Yes | Community CLI | Yes | Yes | Yes | No |
| Zero-Password Auth (OIDC) | OIDC only, no passwords | Password + 2FA | Password + 2FA | Password + 2FA | SSO optional | Multiple backends | No auth |
| Domain Verification | DNS TXT record | Domain claim | Domain claim | Domain claim | No | No | No |
| Workload Identity (CI/K8s) | OIDC federation | Service accounts | No | Service accounts | Service tokens | Yes | No |
| E2E Encryption | Identity-to-identity | Per vault | Per vault | Per vault | Server-side | Server-side | Per paste |
| RBAC | 4-tier hierarchical | Groups/vaults | Folders/sharing | Collections | Environments | ACL policies | No |
| Cross-Account Sharing | Via public key lookup | Guest accounts | Sharing center | Org sharing | No | No | URL sharing |
| Per-Secret Policies | TTL, ephemeral, IP, geo | No | No | Send expiry | No | TTL only | Expiry only |
| Revisions | Optimistic locking | Item history | Password history | Password history | Yes | Yes | No |
| Storage Location | Your bucket (BYOB) | Their cloud | Their cloud | Cloud / Self-host | Their cloud | Self-host | Self-host |
| Immutable Audit Log | Append-only, per-actor | Activity log | Event log | Event log | Yes | Yes | No |
| IP Locking | Per-secret + org-level | No | No | No | Env-level | Yes | No |
| Geo-Fencing | Per-secret (MaxMind) | No | No | No | No | No | No |
| Post-Quantum (ML-KEM-768) | X25519 + ML-KEM hybrid | No | No | No | No | No | No |
| Per-Actor Rate Limiting | Tier-based multipliers | Global limits | Global limits | Global limits | Global limits | Per-path | No |
Simple, Transparent Pricing
Identity-to-Identity Encryption
Every secret encrypted from sender identity to recipient identity using ML-KEM-768 hybrid post-quantum cryptography. No shared vaults, no shared keys.
Zero-Password OIDC Authentication
No passwords in the system. Humans authenticate via Google OIDC. Machines via workload identity federation from GitHub Actions, Kubernetes, AWS, GCP, or any OIDC issuer.
Domain-Verified Organizations
DNS TXT record verification ties accounts to domains. Human actors must use verified domain email. One email, one organization.
Bring Your Own Bucket
S3, GCS, R2, Azure Blob, MinIO. Encrypted data stored in your own bucket via presigned URLs. We only hold metadata, never ciphertext.
Post-Quantum Security, Fair Pricing
ML-KEM-768 hybrid post-quantum cryptography, RBAC, per-secret policies, and immutable audit logs at transparent prices. No hidden costs, no sales calls for standard tiers.
- Up to 5 actors
- Up to 100 secrets
- Up to 500 revisions
- 100 MB storage (BYOB)
- Up to 5 trust policies
- X25519 + ML-KEM-768 hybrid
- Zero-password OIDC auth
- Workload identity
- Domain verification
- Full RBAC (4-tier roles)
- Organization policies
- TTL, ephemeral, IP lock, geo-fence
- Cross-account sharing
- Audit log (30-day retention)
- 1x rate limits
- Self-hosted
- Kubernetes deployment
- Up to 50 actors (humans + service accounts)
- Up to 5,000 secrets
- Up to 25,000 revisions
- 10 GB storage (BYOB)
- Up to 50 trust policies
- X25519 + ML-KEM-768 hybrid
- Zero-password OIDC auth
- Workload identity (GitHub, K8s, AWS)
- Domain verification
- Full RBAC (4-tier roles)
- Organization policies (IP allowlist, session binding)
- TTL, ephemeral, IP lock, geo-fence
- Cross-account sharing
- Audit log (1-year retention)
- 5x rate limits
- Self-hosted
- Kubernetes deployment
- Unlimited actors
- Unlimited secrets
- Unlimited revisions
- Custom storage quota (BYOB)
- Unlimited trust policies
- X25519 + ML-KEM-768 hybrid
- Zero-password OIDC auth
- Workload identity (GitHub, K8s, AWS, GCP, any OIDC)
- Domain verification
- Full RBAC (4-tier roles)
- Organization policies (IP allowlist, session binding, issuer restrictions)
- TTL, ephemeral, IP lock, geo-fence
- Cross-account sharing
- Audit log (custom retention)
- 20x rate limits (or custom)
- Self-hosted
- Kubernetes deployment
- Unlimited actors
- Unlimited secrets
- Unlimited revisions
- Your infrastructure (BYOB)
- Unlimited trust policies
- X25519 + ML-KEM-768 hybrid
- Zero-password OIDC auth
- Workload identity (any OIDC issuer)
- Domain verification
- Full RBAC (4-tier roles)
- Organization policies (full configuration)
- TTL, ephemeral, IP lock, geo-fence
- Cross-account sharing
- Audit log (unlimited retention)
- No rate limits
- Self-hosted
- Kubernetes deployment