# Secret Vault > Self-hosted encrypted secret manager on Cloudflare Workers with end-to-end encryption. Store secrets only you can decrypt, share with your team through RBAC, and revoke access with one command. No servers to run. No third parties to trust. ## What it is Secret Vault runs entirely on your Cloudflare account as a Worker with D1 (SQLite) and KV storage. It provides encrypted secret management with a CLI (hfs) and REST API. Secrets can be end-to-end encrypted with age so the server never sees plaintext. ## How encryption works Three layers protect each secret: 1. End-to-end: age encryption on the client. Private secrets are encrypted for one person. Team secrets are encrypted for all users whose RBAC role grants access. The server stores ciphertext it cannot decrypt. 2. Envelope: each secret gets its own AES-256-GCM data encryption key (DEK), wrapped by a master key (KEK). Key rotation re-wraps DEKs without re-encrypting data. 3. Integrity: Two layers - GCM AAD binds the key name to ciphertext at encrypt time; HMAC-SHA256 with a separate key detects tampering even if the encryption key is compromised. ## Authentication Two modes, no fallback. Interactive sessions authenticate through Cloudflare Access (IdP + optional hardware keys). Service tokens use registered client ID/secret pairs with scoped permissions. ## Key features - [CLI](https://github.com/FlarelyLegal/worker-secrets/tree/main/hfs): hfs command-line tool for all operations - [Encryption architecture](https://github.com/FlarelyLegal/worker-secrets/blob/main/docs/encryption.md): envelope encryption, HMAC, key rotation, audit chain - [E2E encryption](https://github.com/FlarelyLegal/worker-secrets/blob/main/hfs/README.md): --private for personal, --e2e for team, --recipients for explicit keys - [WARP / Zero Trust](https://github.com/FlarelyLegal/worker-secrets/blob/main/docs/cloudflare-warp.md): challenge-response device verification, ZT cert binding, Gateway-policeable CLI - [RBAC](https://github.com/FlarelyLegal/worker-secrets/blob/main/SECURITY.md): roles with scoped permissions and tag-based access restrictions - [Feature flags](https://github.com/FlarelyLegal/worker-secrets/blob/main/docs/feature-flags.md): runtime configuration stored in KV, no redeploy needed - [Secret expiration](https://github.com/FlarelyLegal/worker-secrets/blob/main/docs/feature-flags.md#enforce_expiry): set TTL on secrets, list expiring secrets, enforce expiry via feature flag - [Secret references](https://github.com/FlarelyLegal/worker-secrets/blob/main/hfs/README.md): ${SECRET_NAME} interpolation with --resolve on get, env, template, and profile commands - [Environment profiles](https://github.com/FlarelyLegal/worker-secrets/blob/main/hfs/README.md): tag-based logical groupings, export as shell variables, compare across profiles - [Audit consumers](https://github.com/FlarelyLegal/worker-secrets/blob/main/hfs/README.md): dependency mapping - see who (identity, agent, count) accessed any secret - [GitHub Action](https://github.com/FlarelyLegal/worker-secrets/tree/main/action): fetch secrets into CI workflows - [OpenAPI spec](https://secrets.homeflare.dev/doc/json): auto-generated from Zod schemas - [API docs](https://secrets.homeflare.dev/doc): interactive Scalar UI ## CLI quick start brew tap homeflare/tap && brew install homeflare # or: npm i -g @homeflare/hfs homeflare secrets deploy homeflare secrets config set --url https://secrets.homeflare.dev homeflare secrets login homeflare secrets keygen --register homeflare secrets set DB_PASSWORD "value" --private ## Documentation - [README](https://github.com/FlarelyLegal/worker-secrets/blob/main/README.md): project overview and architecture - [Encryption architecture](https://github.com/FlarelyLegal/worker-secrets/blob/main/docs/encryption.md): key hierarchy, envelope encryption, HMAC, rotation, audit chain - [CLI README](https://github.com/FlarelyLegal/worker-secrets/blob/main/hfs/README.md): all commands and usage - [Security](https://github.com/FlarelyLegal/worker-secrets/blob/main/SECURITY.md): threat model and hardening guide - [WARP / Zero Trust](https://github.com/FlarelyLegal/worker-secrets/blob/main/docs/cloudflare-warp.md): device binding, challenge-response, Gateway policies - [Feature flags](https://github.com/FlarelyLegal/worker-secrets/blob/main/docs/feature-flags.md): all runtime flags with defaults ## License Apache 2.0. See [LICENSE](https://github.com/FlarelyLegal/worker-secrets/blob/main/LICENSE).