Secrets in Slack DMs, in .env.example, in a shared 1Password vault nobody audits.
"hey can you DM me the prod stripe key real quick"
Now it's in two inboxes, one phone backup, and a Slack export that goes to legal in 2027.
A 1Password vault with 47 people in it
When a contractor leaves, you rotate 23 keys. When they don't leave, you forget.
"Who saw the production database password last quarter?"
No one knows. There is no log. The auditor writes a finding. The CTO writes an apology email.
An encrypted workspace for every codebase you ship.
Each project gets its own keyspace. Each environment (prod, staging, dev) is partitioned again. A staging credential is a different secret in a different aegis than a prod credential of the same name - auditable, rotatable, separately permissioned.
- AES-256-GCM with 96-bit nonces, per-record
- Master key rotation every 90 days, automated
- BYOK on Enterprise - bring your own KMS
# Pull prod credentials, encrypted in transit $ sb aegis pull --project payments-api --env prod ✓ Authenticated as maya@slatebeaver.com ✓ 23 secrets fetched · masked locally # Reveal one (logged immediately) $ sb aegis reveal STRIPE_SECRET_KEY ⚠ This reveal will be logged. Ticket reference? PAY-218 sk_live_51HxN8Lf...P92x ✓ Logged · m.rao · 14:02:11 · PAY-218
Joining a project ≠ seeing its credentials.
The single most important design decision in Aegis. A developer can be added to a project, see the kanban, file PRs - and still need an explicit, audited grant to view credentials.
Every reveal, every edit, every export - on the record forever.
Aegis writes an append-only audit log to a separate, hardened store. Cryptographically chained. Exportable to your SIEM. When an auditor asks who revealed a credential and why, the answer is already there.
Security details →