Keys Api
The Vault at the Heart of Your Platform
Features
  • Secrets Vault: Store encryption keys, connection strings, API credentials, passwords, and any sensitive value that must not live in an application database.
  • Always-On Encryption: Every stored value is encrypted with a multi-layer scheme combining HMAC-SHA512 integrity verification, AES-CBC encryption, and AES-GCM encryption. Plaintext is never written to the database.
  • Protected Communication: All requests and responses use Arch's Protected<T> encrypted envelope framework. Plaintext never leaves the service layer.
  • Hierarchical Organization: Secrets are organized by application, category, and name, providing clear structure and multi-tenant isolation. Each application accesses only its own vault.
  • In-Memory Caching: Frequently accessed secrets are cached for fifteen minutes, delivering fast retrieval under high inter-service traffic without repeated database lookups.
  • Full Lifecycle Operations: Create, Update, Delete, and Get operations cover the complete lifecycle of any secret your application depends on.
  • Authorization-Enforced Access: Every request to the Keys Api is validated by the Application Api. A service must be registered and authorized before it can access any secrets.
How It Compares
Keys Api Against Cloud and Self-Hosted Secrets Management
A Different Category of Service
Cloud secrets management services focus on storage and access control within their own ecosystem. The Keys Api adds structural application isolation, application-layer envelope encryption, and a native .NET client — in a self-hosted service that keeps your secrets in your own infrastructure, where no external party can be compelled to produce them.
Feature
Keys Api
US Cloud (AWS/Azure/GCP)
EU Cloud (OVH/Hetzner/Scaleway)
ABP Framework
Encrypted storage at rest
Per-record encryption key
Varies¹
Application-layer envelope encryption
Structural application isolation
Policy-based
Policy-based
In-memory caching
Client SDK
Client SDK
Official .NET client package
✓ (Native .NET)
Self-hosted
Unified platform management
CLOUD Act exempt
✓²
Air-gappable
No third-party data custody
¹ US cloud providers use different key management approaches: AWS Secrets Manager uses unique DEKs per write; Azure Key Vault uses per-vault keys; GCP Secret Manager supports per-secret CMEK.
² EU cloud providers (OVHcloud, Hetzner, Scaleway) are not subject to the US CLOUD Act. However, data remains on the provider's infrastructure — CLOUD Act exemption does not mean sole data custody.
Tech Sovereignty
Arch
Company
About Contact