Tech and Non Tech Teams

One platform for the whole organisation

All teams in an organisation have to manage and share credentials. Founders, marketing, sales support, engineering, management all have to access some set of accounts. Our safes make it easy to manage different accounts and share only to teams and their members that require access.
Teams can move faster and onboard new team members without having to go through a hunt for credentials. Everyone can focus on their goals rather than juggle credentials and worry about security.

Developers and Devops

Painless Credential Management

Access IT resources like servers, databases and api endpoints from your software and terminal securely and without having to worry about how to distribute, update and save your credentials.
Developers can manage their ssh keys.
Use environment variables to run scripts and switch accounts
Inject environment variables into apps

Our clients and user reviews:

Credentials in your terminal

Easy to use command line tool

With our pk command line tool you have your credentials, logins, secrets accessible from any terminal. Our secure environment injection makes the credentials you choose, available to your shell session or any software you choose to run

# download some secrets
pk -s tool get secret -n etl-db -n etl-pass

# filter with jq
pk -s tool get secret -n etl-db --jq ".[0].val"

# access your db
pk -s data db -n analytics

# access your ssh key
pk -s prod ssh-add -n ec2-default
ssh ec2-user@worker-node1
ssh-add -D


Rest API

Our Swagger Rest API allows you to generate your own APIs for your favourite language and integrate your own tools.

Secure Team Sharing

Share and distribute credentials between teams securly. Manage access to each resource with our fine grained Safe sharing access. This makes on boarding and off boarding users quick and painless.

Save costs while being more secure with our SaaS solution

Opensource is fine but you still have to pay hosting and engineering time to manage it

To host your own solution can cost more than using a pre-built and managed SaaS solution. A typical production DIY solution would need:
  • a single ec2 t2.xlarge
  • a master slave RDS 2 x db.t2.large instances
The cost of which on AWS exceeds $500 p/m. Our SaaS offering at $100 p/m save your organisation five times the cost of a typical DIY hosting, not to count the engineering time that you get back from having to manage your own solution:
  • making updates for security
  • backing up databases
  • maintaining an always online system
Your organisation can move faster and concentrate on your the business goals.

Frequently Asked Questions

We provide a free plan. Click here to signup and in plans, select the "Free" plan.
We provide support for everyone, paid or free via our Support Tickets.
If you would like help with onboarding your teams or just discuss how you can integrate pkhub into your app development lifecycle Email Us.
Cloud independent
With pkhub you can access your app secrets from any cloud, GCE, AWS, Digital Ocean...
Works with and for the developer
Our pk cli tool is easy to use and fits right into the developer's workflow. This allows your devs to run their applications with the pk cli and they have the credentials they require automatically injected.
PKHub is a secret manager. Secrets managers are different because they store sensitive data like server keys, database passwords and API keys. Password managers store online login information. You can also store your login information with pkhub, and having all of your service logins and app secrets can be very convenient. Our logins and secure notes are all designed so that developers and teams can access them from the Web, CLI or Rest, and they are always in sync. Most password managers sell a team sharing option, but they make you go through difficult sharing processes and passwords shared need to be re-shared to be kept in sync. In PKHub we share the group (safe) encryption key in a way that user's do not have the key themselves, but the key can only be decrypted with the user's correct password. This keeps the encrypted information secure and always in sync.
We only use Http2 and our encryption is true end to end, i.e we do not even terminate at the load balancer. End to end encryption ensures you that your data cannot be decrypted between you and our API application instances.
We encrypt all secret data with NIST compliant AES+CBC+HMAC512. We do this even though its slower than AES+GCM because we believe its more secure than AES+GCM for data at rest, due to GCMs possible risks with IV uniqueness. Our servers run on standard boring Java virtual machines with the latest standard SunJCE providers. We like to keep it boring, standard and secure. All our messages are encrypted and authenticated using: cipher = encrypt(unique secure random IV, message)
We use argon2id to hash and store all passwords. We do not store the hash, before storage its encrypted. This makes offline attacks infeasible, because a would be attacker would need to also know how to decrypt each hash before they could attack the hash itself.
You cannot.
We do not store any information about your master password that would enable us to reset it. In the case of AWS for example, you can reset your password, which would mean that a would be attacker could use that same mechanism to get hold of a user's account and to their app secrets. To avoid this scenario and provide a more secure service we cannot store anything that would reset your password.
Yes you can.
Add your database type, host, port and access credentials to the "DB" section in your "pkhub" safe. The use the pk db command to open a cli.
You can even use your favourite db cli e.g:
pk db -s -n pk -i -p -x pgcli
Yes you can.
See our use case tutorial for Manage Remote SSH/Rsync/Scp Keys
Our software is available for on-premise installation and management, and newer versions are made available as docker images so that you can easily pull in upgrades as needed.

To get started contact us.

If you would like a more traditional, contract monthly invoice setup, we can do that for you.

To get started contact us.