Core Concepts
Core Concepts
Understanding Krypt’s architecture will help you make the most of it.
Engines
An engine is an isolated secrets namespace. Think of it as a vault within the vault.
krypt engine create production --password "prod-master-key"
krypt engine create staging --password "staging-key"Each engine has:
- Independent encryption — Separate master key
- Isolated secrets — No cross-engine access
- Own policies — Fine-grained access control
Create separate engines for each environment or team to ensure proper isolation.
Secrets
Secrets are key-value pairs stored at a path within an engine.
# Store multiple fields at a path
krypt put production api/stripe \
public_key=pk_live_xxx \
secret_key=sk_live_xxx \
webhook_secret=whsec_xxx
# Retrieve all fields
krypt get production api/stripe
# Get a single field
krypt get production api/stripe --field secret_keyPath Structure
Organize secrets hierarchically:
production/
├── database/
│ ├── postgres → host, port, user, password
│ └── redis → url, password
├── api/
│ ├── stripe → keys, webhook secrets
│ └── sendgrid → api_key
└── certificates/
└── tls → cert, keyTokens
Tokens are time-limited credentials for API access.
# Interactive login (stores token locally)
krypt login production
# Create a scoped token for CI/CD
krypt token create \
--role deployer \
--ttl 1h \
--description "GitHub Actions"Token properties:
- TTL — Expires automatically
- Revocable — Invalidate instantly
- Role-bound — Inherits permissions from role
Policies & RBAC
Control access with path-based policies.
# policies/readonly.hcl
path "database/*" {
capabilities = ["read", "list"]
}
# policies/deployer.hcl
path "api/*" {
capabilities = ["read"]
}
path "database/postgres" {
capabilities = ["read"]
}Capabilities
| Capability | Description |
|---|---|
create | Create new secrets |
read | View secret values |
update | Modify existing secrets |
delete | Remove secrets |
list | List secret paths |
# Apply policy
krypt policy write readonly policies/readonly.hcl
# Create role with policies
krypt role create reader --policies readonly
# Create token with role
krypt token create --role reader