Skip to content
qibdo qibdo
Theme
Book a demo

Overview

Generate dynamic secrets, manage PKI certificates, and encrypt application data. Vault consolidates secrets storage, encryption, private PKI, and short-lived credentials for databases, cloud, SSH, and Kubernetes into a single console, with every operation recorded, fully auditable and consistent wherever your infrastructure runs.

Vault keeps the sensitive bytes in qibdo’s own vault engine; the control plane stores only metadata, so secret payloads, key material, and private keys never leave the engine. Every resource belongs to a workspace, every change returns an operation that completes in the same call, and every operation is recorded for audit.

  • Secrets: named, versioned containers of opaque secret bytes. Each version is immutable, so you can keep history and roll back to an earlier value.
  • Encryption keys: named, versioned cryptographic keys you use without ever handling the key material. The service encrypts, decrypts, re-encrypts, signs, verifies, and generates data-encryption keys and random bytes on your behalf, with the key staying inside the engine.
  • Private PKI: a certificate authority you run yourself. Define the certificate profiles you allow, then issue and revoke certificates against them and publish a revocation list.
  • Dynamic credentials: short-lived credentials minted on demand for databases, cloud providers (AWS, GCP, and Azure), SSH, and Kubernetes, from per-source templates and workload identities. Each is tracked by a lease with a time-to-live and a maximum lifetime, so credentials expire on their own.
  • Access policies: workspace-scoped policies layered on top of IAM that grant permissions on a pattern of resources, optionally narrowed by source IP or a time window.
  • Operations and audit: every change returns an operation record that comes back already completed. Vault keeps an audit trail you can ship to a security pipeline, and never records a secret in the clear: any payload is reduced to a one-way hash.