A free, encrypted vault for keys, tokens & secrets
KeysArk is a free secrets vault for the credentials that should never sit in plaintext: API keys, access tokens, database URLs, private keys. Each item is sealed with AES-256-GCM in your browser before it ever leaves your device.
Unlike a hosted secrets manager, KeysArk never holds your key. It is derived from a BIP39 recovery phrase you control, so even if the storage backend were compromised, the contents stay unreadable.
What you can keep in it
- API keys and access tokens for the services you build on.
- Database connection strings and other deployment secrets.
- Private keys, recovery phrases, and license keys.
- Any sensitive note you want encrypted and synced to your own cloud.
FAQ
Is the secrets manager free?
Yes — KeysArk is free and open source. Your encrypted secrets are stored in your own Google Drive or Baidu netdisk.
How are my secrets encrypted?
Each item is encrypted in your browser with AES-256-GCM, using a key derived from your BIP39 phrase. The server only stores opaque ciphertext.
Can I use it from the command line / CI?
Yes. The ark CLI reads and writes your vault from the terminal, with the mnemonic supplied via an environment variable for scripts and CI.
What happens if I lose my recovery phrase?
True end-to-end encryption means nobody — including us — can recover it for you. The phrase is the only key, so back it up carefully.