Enkryptify: field notes on a solo dev's secrets manager
Every developer I know has a shameful little pile of secrets somewhere: a .env file rsynced to a server, SMTP credentials pasted into a settings file, an API key that has lived in three different Slack threads. I keep meaning to fix mine. So when I found Enkryptify, an EU-based secrets manager, I spent an evening kicking the tyres. These are my honest field notes.
Short version: it's a hosted vault for API keys, database passwords and cloud credentials, aimed at engineering teams and, increasingly, AI agents. Think Doppler or Infisical, built by a small team in Ghent, Belgium, with the servers kept in the EU. As a solo dev who mostly ships Drupal, that European angle and the runtime-injection idea were what pulled me in.
What it actually does
The core pitch is that your secrets stop living in files. You store them centrally, and Enkryptify hands them to your process at execution time. The headline features it advertises:
- Runtime injection — secrets appear as environment variables in your running process, not on disk.
- Automatic rotation — scheduled rotation for a handful of providers (Postgres, OpenAI, OpenRouter, Resend).
- Scoped access for both humans and AI agents, with a 365-day audit trail.
- Leak and anomaly detection — though some of this is still flagged "coming soon," so I'd not bank on it yet.
- Syncs into about eleven platforms: AWS, Azure, GCP, Vercel, GitHub, GitLab, Bitbucket, Fly.io, Supabase, Kubernetes and 1Password.
The CLI, which is the part I care about
This is where it clicks for a deploy-it-yourself person. The ek CLI is open source (MIT, on GitHub), written in TypeScript, and the workflow is refreshingly boring: log in, link the project, then prefix your normal start command.
brew install enkryptify/enkryptify/enkryptify
ek login
ek configure
# secrets get injected as env vars into the child process
ek run -- npm run dev
That last line is the whole trick: ek run -- wraps your command and injects the secrets, so nothing touches a .env on the box. One small detail I appreciated: the auth token defaults to your OS credential store (Keychain, Secret Service, Windows Credential Manager), and on a headless server you can pass an ENKRYPTIFY_TOKEN env var instead, which it won't try to persist to disk.
The encryption model, without the marketing gloss
This is the bit worth reading carefully, because the honest answer matters. Enkryptify is not end-to-end or zero-knowledge. It uses application-level envelope encryption with AWS KMS: a per-environment data key encrypts your secrets with AES-GCM, only the encrypted data key is stored alongside the ciphertext, and decryption happens in memory on the backend. Ciphertext lives in a Postgres database (NeonDB, Frankfurt), with TLS 1.3 in transit.
The provider can, in principle, decrypt your secrets. Their defence is that IAM and KMS policies deny decrypt permissions to human identities — not mathematics, but operational control.
That's a fair, well-documented posture, and they're ISO 27001 certified and GDPR compliant. But it's a trust decision, not a guarantee. If your threat model requires that nobody at the vendor could ever read your keys, this isn't that. For my SMTP creds and a few third-party API keys, I'm comfortable. For, say, a client's payment credentials, I'd think harder.
The caveats I can't ignore
Two things give me pause. First, lock-in: the CLI and SDKs are open source, but the platform itself is a closed SaaS. If it disappears, my workflow disappears with it, so I'd keep an exportable copy of every secret. Second, maturity: this looks genuinely new. The GitHub repos have a handful of stars between them and I found essentially no independent community discussion, so I can't point you to battle-tested war stories yet.
Pricing is one flat plan: around €15 per developer per month, or €12 billed yearly, after a 14-day trial. There's no permanent free tier, which for a solo hobbyist is a real friction point. AI agents apparently don't count as billable seats, which hints at where the product is heading.
Would I use it?
For a serious project where I'm already paying for infrastructure, the runtime injection alone is tempting enough to justify the fee. For my personal servers, the honest calculus is that a disciplined workflow plus my existing password manager gets me most of the way for free. Enkryptify is a tidy, EU-hosted, appears-well-engineered option — I'd just go in clear-eyed about trusting a young third party with the keys to everything.