Open-source secrets manager built entirely on Cloudflare.
One Worker. One D1 database. One master key. Zero trust storage. CLI-based.
Keyflare is a free, self-hosted secrets manager (like Doppler or Infisical) that runs entirely on Cloudflare's infrastructure β a single Worker + a single D1 database. All secrets are encrypted at rest with AES-256-GCM. You can use Cloudflare's free plan without any issues.
- π€ Completely free with no limits β You can host your secrets manager on Cloudflare with practically no limits. Infinite projects, environments and secrets.
- π CLI-first β Everything managed via the
kflcommand-line tool. - ποΈ Single deployment β One Cloudflare Worker + one D1 database. No VMs, no containers, no infra to manage.
- π Scoped API keys β User keys for management, system keys scoped to specific projects/environments.
- π¦ Projects & environments β Organize secrets by project (
my-api) and environment (production,staging,development). - π Runtime injection β
kfl run -- npm startinjects secrets as env vars without writing to disk. - π Multi-format export β Download as
.env, JSON, YAML, or shell exports. - π Encrypted at rest β All secret keys and values are AES-256-GCM encrypted. Even with full DB access, data is unreadable.
π Read the full documentation at keyflare.mintlify.app
# Install the CLI
npm install -g @keyflare/cli
# Deploy Keyflare to your Cloudflare account
kfl init
# Create a project and environment
kfl projects create my-api
kfl env create production --project my-api
# Upload secrets from a .env file
kfl secrets upload .env.production --project my-api --env production
# Inject secrets into a command
kfl run --project my-api --env production -- npm run build
# Download secrets as .env file
kfl secrets download --project my-api --env production --output .envπ Read the full documentation at keyflare.mintlify.app
keyflare/
βββ packages/
β βββ server/ # Cloudflare Worker API
β βββ cli/ # kfl command-line tool
β βββ shared/ # Shared types & utilities
βββ docs/ # Documentation & diagrams
CLI (kfl) ββHTTPSβββΆ Cloudflare Worker βββΆ D1 (encrypted)
β
MASTER_KEY
(Worker Secret)
- Secrets are encrypted with AES-256-GCM using a master key
- API keys are hashed with SHA-256 (128-bit entropy, brute-force infeasible)
- Lookups use HMAC-SHA256 (keyed hash β no plaintext in DB, not even key names)
- Master key stored as a Cloudflare Worker Secret (never in code, never in DB)
| What | How |
|---|---|
| Secret values in DB | AES-256-GCM encrypted (per-row random IV) |
| Secret key names in DB | AES-256-GCM encrypted |
| Project/env names in DB | AES-256-GCM encrypted + HMAC-SHA256 hash for lookups |
| API keys in DB | SHA-256 hashed (128-bit entropy keys) |
| Master encryption key | Cloudflare Worker Secret (never in code/DB) |
| Key derivation | HKDF-SHA256 (separate keys for encryption vs HMAC) |
| Transport | TLS 1.3 (Cloudflare edge) |
Single point of failure: The master key. If lost, all data is unrecoverable. Back it up securely. The master key is shown once during kfl init.
We welcome all contributions β bug fixes, features, docs improvements, and ideas!
- Fork the repo and create a branch
- Make your changes (see the development guide)
- Run
pnpm run typecheckandpnpm testto make sure everything passes - Open a pull request β we'll review it promptly
MIT