Secrets
Secrets are the core data type in CloudKeep. A secret is any sensitive piece of information — a password, API key, database connection string, SSH key, or free-form note — that you want to store securely. Every secret is encrypted with AES-256-GCM before it leaves your device.
What Are Secrets?
Each secret consists of a template type, a set of encrypted fields (the sensitive data), and optional metadata such as tags, notes, and expiration dates. The encrypted fields are decrypted only when you explicitly view them in the UI or access them through the CLI/API.
Secret Templates
Templates define the fields a secret contains. CloudKeep ships with the following built-in templates:
| Template | Fields | Use Case |
|---|---|---|
| Password | Username, Password, URL, Notes | Website and application logins |
| API Key | Key Name, Key Value, Service URL | Service tokens, bearer tokens, API credentials |
| Database | Host, Port, Database, Username, Password, Connection String | PostgreSQL, MySQL, MongoDB, Redis connections |
| SSH Key | Public Key, Private Key, Passphrase, Host | Server access, Git authentication |
| Secure Note | Title, Content | Free-form encrypted text for any purpose |
| Environment Variable | Key, Value, Environment | Application configuration variables |
Creating a Secret
- Open the vault where you want to store the secret.
- Click Add Secret.
- Choose a template (or start with a blank secret).
- Fill in the required fields. Sensitive fields are masked by default.
- Optionally add tags, a favourite marker, or an expiration date.
- Click Save. The data is encrypted in your browser before transmission.
CloudKeep also includes a password generator that can produce random passwords, passphrases, or PINs with configurable length and character sets.
Editing a Secret
Click on any secret to open its detail view, then click Edit. After making changes, click Save. The previous version is retained in the version history so you can always roll back.
Deleting a Secret
Deleted secrets are moved to a Trash folder where they remain for 30 days. During that period you can restore them. After 30 days, or if you empty the trash manually, the encrypted data is permanently removed from our servers.
Version History
Every time you edit a secret, CloudKeep saves a snapshot of the previous version. You can view the full history from the secret detail view under the History tab. Each version shows:
- When the change was made
- Who made the change (in shared vaults)
- A diff of what fields changed
You can restore any previous version with one click. Restoring creates a new version rather than overwriting history.
Tags and Favourites
Tags let you categorise secrets across vaults. For example, you might tag all database credentials with database and all production secrets with production. Tags are searchable from the global search bar.
Mark frequently used secrets as Favourites to pin them to the top of your vault view for quick access.
Expiration and Rotation Reminders
Secrets can have an optional expiration date. When a secret nears its expiration, CloudKeep sends you a notification (in-app and optionally via email or webhook) so you can rotate the credential before it becomes invalid.
You can also set a rotation reminder interval (e.g., every 90 days) even if the secret does not technically expire. This is useful for enforcing credential rotation policies on your team.
Searching and Filtering
Use the global search bar (Ctrl+K or Cmd+K) to search across all vaults you have access to. You can filter results by:
- Vault — restrict results to a specific vault
- Template — e.g., only show API keys
- Tags — e.g.,
tag:production - Favourites — show only starred secrets
- Expiring — show secrets expiring within N days
Search matches against secret names, tags, and unencrypted metadata. The encrypted field values are never included in search indexes.