Encrypted secrets storage, provable access

Secrets, sealed. Access, proved. Every read and write leaves a receipt you can verify offline.

VeritaVault stores your API keys, passwords, and credentials client-side-encrypted — and chains every access into an append-only, publicly-checkpointed log. You get the convenience of a secrets manager with an audit trail that can't be quietly rewritten. Not even by us.

Get early access See how it works

DB_PASSWORD·sha256:4a9c…be12·leaf #187·sealed 2026-04-21

How it works

Three layers. No silent rewrites.

Most secrets managers keep an audit log — and ask you to trust that the log hasn't been touched. VeritaVault turns the log into a Merkle-chained transparency record with public checkpoints, so integrity becomes something you can prove rather than assume.

01 · ENCRYPT

client-side, zero-knowledge

Secrets are encrypted on your machine with keys we never see. The vault server holds ciphertext and metadata — nothing it could leak in plaintext.

02 · CHAIN

hash-linked events

Every set, get, rotate, and delete becomes a signed event in an append-only log. Each event references the previous by hash — rewriting history breaks everything downstream.

03 · CHECKPOINT

publicly witnessed

The log's Merkle root is published at regular intervals to independent witnesses. If we quietly rewrite your history, the checkpoint record makes it detectable.

On the command line

Quick look.

# Store a secret — client-side encrypted, chained, receipt back.
$ veritavault set DB_PASSWORD --from-stdin
  key          DB_PASSWORD
  digest       sha256:4a9c54…be12
  chain-leaf   #00187
  receipt      DB_PASSWORD.vv-receipt.json
  OK sealed at checkpoint #00042

# Read a secret — decrypts on your machine, logs a signed access event.
$ veritavault get DB_PASSWORD --verify
  ✓ key exists at leaf 187
  ✓ signature valid, stored 2026-04-21T12:00:00Z
  ✓ access event countersigned and chained
  ✓ no tampering since last checkpoint
  RESULT: decrypted, ready

# Audit — every event in a window, with inclusion proofs you can verify offline.
$ veritavault audit --since 2026-04-01 --verify
  ✓ 28 events, all signatures valid
  ✓ chain intact, checkpoint #00040 → #00048
  ✓ witness endorsements match our own root hash
  RESULT: no silent modifications

What it does — and doesn't

An honest safe, not a magic one.

VeritaVault can prove…

✓ who read each secret, and when
✓ which secrets were stored, in what order
✓ no secret has been modified since it was sealed
✓ the log itself hasn't been silently rewritten
✓ any of the above, offline, from signed receipts

It can't…

· keep a secret from a compromised client — endpoint security is still on you
· retroactively protect a credential that leaked before it was stored
· recover a master passphrase you've forgotten (no backdoor, by design)
· replace your threat model — it provides proofs, not policies

Who it's for

Built for people who need an audit trail that holds up.

Developers & platform teams

API keys, CI/CD secrets, service credentials — with a provable access log you can hand an auditor without a "trust the logs" asterisk.

Compliance & infosec

SOC2, HIPAA, ISO 27001 — every framework asks for access logging. VeritaVault gives you logs with cryptographic integrity built in.

Security-conscious individuals

A personal password vault whose audit trail you don't have to take on faith. Export a receipt, verify offline, sleep better.