NEWNow open source & self-hostable. Star us on GitHub →

Threat Model

What Keyway protects against, what it doesn't, and the assumptions behind our design.

Last updated: July 2026

The assets in scope are your environment variables and the credentials used to access them. No security tool protects against everything. Here's where we stand.

1. Assumptions

  • Your GitHub account is the root of trust. Keyway uses GitHub OAuth and repo permissions to decide who can access secrets.
  • Your developer machine is reasonably trusted. Keyway keeps secrets off disk, but it can't protect secrets from a fully compromised machine.
  • TLS works. All traffic between the CLI, the API, and the crypto service is encrypted in transit.

2. What Keyway Protects Against

ThreatMitigation
AI coding agents reading secrets from diskSecrets are never written to disk. They're injected into process memory at runtime and gone when the process exits.
.env files leaked via git, backups, Docker layers, or crash dumpsNo .env file exists. Nothing to leak from the filesystem.
Database breach at KeywaySecrets are encrypted with AES-256-GCM, unique IV per secret. The encryption key lives in a separate, isolated crypto service, not in the API or its database. A dump of the database is ciphertext.
Compromise of the API serviceThe encryption key lives only in the isolated crypto service. The API never touches it. It does see decrypted values briefly, in memory, to hand them to your CLI, so a database or API breach gets you ciphertext, not the key that unlocks it.
Secrets shared over Slack, email, or chatNobody needs to send a .env file. Teammates pull secrets through the CLI, authenticated with their own GitHub account.
Password leaks and credential stuffingKeyway stores no passwords. Authentication is GitHub OAuth only.
Ex-teammates keeping accessGitHub repo permissions are checked on every secret fetch, live, not cached. Remove someone from the repo and their access stops immediately. The exposure dashboard shows which secrets they had accessed, so you know exactly what to rotate.
Long-term key compromiseEncryption keys can be rotated without downtime. New secrets are encrypted with the newest key version. Older secrets stay under the key version they were written with. We don't re-encrypt them automatically today.

3. What Keyway Does NOT Protect Against

We'd rather tell you this ourselves.

  • A compromised developer machine. Secrets live in process memory while your app runs. Malware with the right privileges, or anything that can read /proc/self/environ on Linux, can see them. Keyway closes the filesystem attack vector, not the memory one.
  • Your own code and dependencies. Once secrets are injected, your application and everything it imports can read them. A malicious npm package at runtime sees what your app sees.
  • AI agents with shell access and secrets in context. If you run an agent inside keyway run, the secrets are in that process's environment. Prompt injection can then exfiltrate them. Run agents outside your secret-injected processes.
  • GitHub account takeover. GitHub is our root of trust. If your GitHub account is compromised, so are your secrets. Enable 2FA on GitHub.
  • A full compromise of Keyway's infrastructure. If an attacker controls both the API and the crypto service at the same time, encryption doesn't save you. We reduce this risk through service isolation and minimal dependencies, but we won't pretend it's zero.
  • Us. Using Keyway Cloud means trusting the operator, same as with Doppler or Infisical Cloud. We limit what we can see by design, but if that trust doesn't work for you, Keyway is open source: self-host it and the trust question goes away.
One more honest note: the "AI-proof" on our homepage means AI agents can't read your secrets from disk. It doesn't mean secrets are invisible to every possible AI in every configuration. The two bullets above about agents and memory are the fine print, stated plainly.

4. Out of Scope

  • Dynamic secrets, PKI, and database credential rotation. If you need those, you want Vault or OpenBao, and that's fine.
  • Air-gapped environments. Keyway needs network access to fetch secrets (with keyway pull as an offline cache option).

5. Reporting a Vulnerability

Found something we missed? See our security page for our disclosure policy, or email security@keyway.sh.