ORIGIN9 Feature
Secrets Engine
Encrypted vault with rotation, versioning, audit, and direct-to-pod injection.
Secrets are organized in a folder tree and scoped per environment so dev credentials cannot leak into production. Values are encrypted with AES-256-GCM at rest (with AWS KMS for key management) and injected into workloads at runtime — a webhook validates the requesting pod's identity token before returning any secret, so nothing gets stored in Git. Every read, write, and rotation is logged. Six secret types (General, TLS, Docker registry, SSH key, Basic Auth, AWS credentials) ship with validators for the right shape.
AES-256-GCM Encryption
Bank-grade encryption at rest with AWS KMS key management and tamper-evident integrity checks.
Folder Hierarchy
Organize secrets in a folder tree up to 10 levels deep. Environment scoping separates dev from production values at the same path.
Six Secret Types
General, TLS Certificate, Docker Registry, SSH Key, Basic Auth, and AWS Credentials — each with shape validation on write.
Version History & Rollback
Up to ten versions per secret with who/when/what metadata. One-click rollback restores any previous value.
Scheduled Rotation
Daily, weekly, monthly, or yearly rotation schedules with expiry warnings and smart restarts of dependent workloads.
Identity-Bound Injection
A pod must present a valid workload token to read its secrets — no plaintext in manifests, no static env vars in Git.
What This Replaces
Related Features
Ready to try Secrets Engine?
From idea to production in days. Not months.