SecretOps
for developers

Open source, end-to-end encrypted platform for managing application secrets and environment variables.

phase cli

Import. Encrypt. Inject.

Import & encrypt secrets from existing .env files. Securely inject secrets into any platform or framework at runtime. No dependencies or code changes required. Explore Docs

pip install phase-cli
Plug and play integration
Inject secrets scoped only to your app as environment variables during runtime. Use process.env / os.environ.get to read them — no dependencies or code changes required.
Simplify development
Effortlessly maintain separation between dev, staging, prod environments and quickly switch in between them. Avoid using production secrets in development.
Always in sync
Import secrets from .env files and securely sync them with your team. Eliminate ad-hoc secret coordination with other teams over Slack.
Secure by default
The Phase CLI uses end-to-end encryption with private-key sharding via secret sharing schemes to avoid a single point of compromise.
Keyring integration
Phase CLI uses keyring backends such as macOS Keychain, Windows Credential Locker, KDE Wallet, GNOME Keyring and more to safely handle secret zero.
Works where you work
The Phase CLI works on your laptop, CI, Docker containers, Virtual Machines and Kubernetes clusters.
phase console

Mission Control for your app secrets

Create, manage and deploy secrets effortlessly. Manage your team & environments with granular RBAC. Keep track of changes to secrets and permissions with detailed audit logs.

Phase Console
Role-based Access Control
Separate keys for each user and environment. Manage environment permissions with granular RBAC tools.
Audit logs
Keep track of changes to secrets, user roles, permissions and access events with detailed logs.
Secret versioning
All secret changes are automatically versioned. Easily view changes with git styled diffs and roll-back changes with one click.
Point-in-time recovery
Restore entire environments to a previous version if something goes wrong. The Phase Console gives you a get-out-of-jail-free card.
Service tokens
Specifically scope and create tokens for local development, CI builds or production environments.
Secret referencing
Create references to other secrets and inherit values across environments.
integrations
Works with your entire stack
Phase works with all languages, frameworks and cloud providers.
Platform integrations
Phase works with all major cloud providers, build tools and CI pipelines. Keep your application secrets secure, whether you are running your own infrastructure or using third party tools.

Framework integrations
Phase works with all your favorite app frameworks. Securely inject secrets into your application runtime and ditch .env files, no matter your choice of lanugage or framework.

Roadmap

We build with our users, in the open. Tell us what you'd like to see in Phase.

Planned
Features that are planned
Custom environments
SOC 2 Type II Compliance
Source-based IP allowlists
Sync secrets - GitHub actions
Sync secrets - Cloudflare workers
Sync secrets - Vercel
Dynamic secrets - Cloud services
Dynamic secrets - Databases
AzureAD integration
Fine grained RBAC
Custom roles
SAML SSO
Environment branches
In development
Features that are currently under development
Clone environments
Point-in-time recovery
Sync secrets - AWS secrets manager
Sync secrets - GCP secret manager
Live
Features currently in production
End-to-end encryption
Secret versioning
Google, GitHub, Gitlab SSO
Multiple environments
Multiple teammates
Email alerts
Local and cross-environment secret referencing
Cryptographic RBAC controls
Self-hosting and on-prem deployment support
Personal access tokens
Service tokens
Secret audit logs
CLI
Personal secrets
Kubernetes operator integration

phaseCLOUD

The fastest and easiest way to get started with Phase. Spin up an app in minutes. Hosted in Frankfurt 🇩🇪

phaseSELF-HOSTED

Run Phase on your own infrastructure and maintain full control. Perfect for customers with strict compliance requirements.