Your secrets. Your keys. Your infrastructure.
A self-hosted secret manager on Cloudflare Workers. Store secrets only you can decrypt, share them with your team through roles, and revoke access with one command. No servers to run. No third parties to trust.
AES-256
per-secret encryption
E2E
zero-knowledge mode
3
encryption layers
SHA-256
hash-chained audit
How does it compare?
| Secret Vault | Vault | AWS SM | Doppler | Infisical | |
|---|---|---|---|---|---|
| Self-hosted | ✓ | ✓ | — | — | ✓ |
| Zero-knowledge E2E | ✓ | — | — | — | ✓ |
| No servers to run | ✓ | — | ✓ | ✓ | — |
| One-command deploy | ✓ | — | — | — | — |
| Per-secret encryption keys | ✓ | — | ✓ | — | — |
| Key rotation without re-encrypting | ✓ | ✓ | ✓ | — | ✓ |
| RBAC + tag restrictions | ✓ | ✓ | ✓ | ✓ | ✓ |
| Tamper-evident audit chain | ✓ | — | — | — | — |
| Burn after reading | ✓ | — | — | — | — |
| Cloudflare WARP / Zero Trust | ✓ | — | — | — | — |
| Device-bound authentication | ✓ | — | — | — | — |
| Gateway-policeable CLI | ✓ | — | — | — | — |
| Geo-fencing | ✓ | — | — | — | — |
| Version history + restore | ✓ | ✓ | ✓ | ✓ | ✓ |
| SSO with any IdP (free) | ✓ | ✓ | ✓ | — | — |
| Runtime feature flags | ✓ | — | — | — | — |
| GitHub Action | ✓ | ✓ | ✓ | ✓ | ✓ |
| Free at any scale | ✓ | — | — | — | — |
| All features included | ✓ | — | — | — | — |
| Open source | ✓ | — | — | — | ✓ |
Get started in 4 steps
1
Deploy to your Cloudflare account
One command creates the Worker, D1 database, KV namespace, and Access policies. Everything runs on your account.
$ brew tap homeflare/tap && brew install homeflare
# or: npm i -g @homeflare/hfs
$ homeflare secrets deploy
Deployed to https://secrets.homeflare.dev2
Connect, log in, generate your key
Point the CLI to your vault, authenticate through your identity provider, and generate an age identity. The key pair lives on your machine and never touches the server.
$ hfs config set --url https://secrets.homeflare.dev
$ hfs login
Authenticated successfully
$ hfs keygen --register
public key: age196nua3eewwvud6k858la...3
Store secrets the server cannot read
Private secrets are encrypted on your machine. Only your age identity can decrypt them. Team secrets are encrypted for everyone whose role grants access.
# Only you can read this
$ hfs set API_KEY "sk-ant-..." --private
Stored API_KEY (e2e private)
# Shared with your team based on roles
$ hfs set DEPLOY_TOKEN "ghp_..." --e2e -t production
encrypting for 3 recipients
Stored DEPLOY_TOKEN (e2e)4
Use everywhere. Revoke instantly.
Load secrets into your shell, CI pipelines, or config files. When someone leaves, remove them and rewrap. Their key is excluded from every secret.
$ eval $(hfs env --export API_KEY DB_PASSWORD)
$ hfs template .env.tpl > .env
# Someone leaves
$ hfs user rm alice@co.com
$ hfs rewrap --all
12 secret(s) rewrappedHow your secret is protected
hfs CLI
REST API
GitHub Action
↓ age encrypt (e2e) ↓
Cloudflare Edge — DDoS · TLS · Access (IdP + hardware keys)
↓ JWT ↓
Worker — ZT verify → DEK encrypt → KEK wrap → HMAC sign → Audit
↓ ciphertext only ↓
D1 (SQLite)
KV (flags)