Encryption as a Service

Inspired by Hashicorp's Vault's Transit secrets engine (pre license change - AUG 10 2023), powered by Bitwarden Secrets Manager, node:crypto, Web Crypto and runs completely on Cloudflare Workers.

Keep your own storage system and just pass-through encrypt/decrypt and stay up to date and compliant. No data is ever stored and only lives long enough to do the operation. Per request additional wrapping to counter MITM/TLS inspection is also available.

Versioning

Note

Currently under development, see progress under the Projects tab.

Breaking api changes will use a new api version and a depreciation schedule for the previous respective version.

Version	Status	Support
v0	ALPHA	From 2024-12-14 to ?

• ALPHA: Expect breaking changes at any time
• BETA: Should no longer have breaking changes, but not fully stable yet.
• GA: Maintenance (bug/security fixes) changes only.
• DEPRECATED: Still maintenance only, but endpoints will be shutdown soon. Migrate to new endpoint by the corresponding date above.
• RETIRED: Shut down.

Plans

Legend

• Generative operations
  • encryption
  • signing
  • hmac
  • randomness
• Retreival operations
  • decryption
  • rewraps*
  • verify
  • hash

* counted as a generative operation for key usage reasons (key auto-rotate, in-use datakeys, etc) but as a retreival operation for billing purposes (always free)

Pricing

Checkmarks below mean it's live and/or enforced.

• Free (community supported) managed version
  • 10GB logging (operation metadata only)
  • Bitwarden BYO key vault
  • Unlimited seats and machine api keys
  • TBA keyrings
  • TBA monthly total operations. Upon hitting limit, only retreival operations will go through.
  • Automated key rotation (time & usage based) with webhook notifications
  • Manual key rotation
  • Up to the last TBA (in-use: has been used for a generation op at least once) datakeys are stored per keyring.
  • PQC key generation - current NIST forerunner(s)
  • PQC encryption - current NIST forerunner(s)
• ($TBA/month) Paid (TBA support) managed version paid version fully on indefinite hold
  • Everything in free
  • TBA logging (operation metadata only)
  • Unlimited free external log push
  • Other vendors BYO key vault
  • Unlimited free keyrings
  • ($TBA/million ops) monthly generative operations
    • Base price already includes TBA monthly generative operations
  • Unlimited free retreival operations
  • Key rotations now include webhook customization and email notifications
  • ($TBA/TBA in-use datakeys) per keyring
    • Base price already includes TBA datakeys per keyring

We forever pledge that retreival operations will always be free and accessible. We never want to be in a situation where we're keeping your data hostage.

Full terminology

Sponsors