Secrets your team can trust.
Secronna is an end-to-end-encrypted secret manager for the Forjio family and teams. Store API keys and connection strings once, organized by project and environment — envelope-encrypted, versioned, and fully audited. Ship them to your apps with secronna run.
Signups are disabled during the private beta.
Values stay hidden. Reveal one at a time — each reveal is audited.
A look at the Secronna dashboard: keys only, values masked.
How it works
From scattered .env files to one source of truth.
Three steps to get secrets out of chat threads and git history and into an encrypted, audited store.
Create a project + environments
Group secrets by project, then split them across environments like development, staging, and production.
Add your secrets
Store key/value pairs — each is envelope-encrypted before it leaves the server. Rotating a value keeps the old versions.
Run with secronna run
Inject the right environment’s secrets into any process at launch. No plaintext .env on disk, no secrets in your repo.
Features
Built for secrets, not notes.
Every capability below runs in the beta today.
Envelope encryption
Each secret is encrypted with a per-secret data key, itself wrapped by a master key. Values are never stored in plaintext.
Versioned secrets
Rotating a value creates a new version and retains the old ones — reveal a specific version when you need it.
Audit trail
Every reveal, rotation, and delete is logged with actor, IP, and timestamp. Read it right in the dashboard.
Projects & environments
Organize secrets by project and isolate them per environment. Keys are listed; values stay hidden until you reveal.
Reveal-on-demand
The dashboard never lists values. You reveal one at a time — and that reveal is recorded.
secronna CLI
secronna run injects a chosen environment into a process; secronna export writes them out when you truly need a file.
Pricing
Pricing lands at general availability.
These tiers are indicative and not final — Secronna is invite-only right now, and nothing is billed during the private beta. IDR pricing; international customers pay in USD via PayPal.
Free
For solo developers and side projects.
- 1 project
- Up to 3 environments
- Versioned secrets
- Full audit log
- secronna CLI
Team
For teams sharing secrets across services.
- Unlimited projects
- Unlimited environments
- Workspace members
- Longer audit retention
- Priority support
Business
For organizations with compliance needs.
- Everything in Team
- Machine tokens (planned)
- SSO via Huudis
- Extended audit export
- SLA
Compare
How Secronna compares.
Against the two things most small teams actually use today: .env files committed or passed around, and a self-hosted secrets server.
| Capability | Secronna | .env files | Self-hosted vault |
|---|---|---|---|
| Encrypted at rest | |||
| Never in git history | |||
| Reveal + rotation audit trail | |||
| Versioned values | |||
| Zero infrastructure to run | |||
| One login across Forjio products |
For developers
CLI-first. No plaintext on disk.
Log in with your Forjio account, then pull the right environment into any process. No .env file to leak, no secrets baked into an image.
- secronna run — inject an environment into a child process
- secronna export — write a dotenv only when you truly need one
- REST API with the Forjio envelope + idempotency keys
- Reveal a specific version with ?version=<n>
# Install once $ npm i -g @forjio/secronna-cli # Log in with your Forjio account $ secronna auth login ✔ Authenticated as you@example.com via Huudis # Run your app with production secrets injected $ secronna run --env production -- npm start ✔ Injected 12 secrets · nothing written to disk
# In CI: export to a scoped dotenv step $ secronna export --env staging > .env ✔ Wrote 9 secrets (staging) # Reveal one specific version $ secronna reveal DATABASE_URL --version 3
One login
Sign in once. Use every Forjio product.
Secronna shares its account system with the rest of the Forjio family through Huudis SSO. The same identity that runs your storefront or payments manages your secrets.
Huudis
identity
Powered by Huudis — the identity provider for the Forjio family.
FAQ
Common questions.
How do I get in during the private beta?
Secronna is invite-only right now and signups are disabled. Request access from the contact page and we’ll reach out.How are secrets encrypted?
With envelope encryption — each secret gets its own data key, wrapped by a master key. Values are never stored or listed in plaintext; you reveal them one at a time.Can I see who accessed a secret?
Yes. Every reveal, rotation, and delete is written to an audit log with the actor, IP, and timestamp, viewable in the dashboard.What happens when I rotate a secret?
Rotating stores a new version and keeps the previous ones. You can reveal a specific version by number when you need it.Do I need a .env file anymore?
No. secronna run injects an environment into your process at launch with nothing written to disk. secronna export can still write a file when a tool genuinely needs one.
Get your secrets under one crown.
Secronna is in private beta. Request an invite and we’ll get you set up.