How It Compares
Keys Api Against Cloud and Self-Hosted Secrets Management
A Different Category of Service
Cloud secrets management services focus on storage and access control within their own ecosystem.
The Keys Api adds structural application isolation, application-layer envelope encryption, and a native .NET client — in a self-hosted service that keeps your secrets in your own infrastructure, where no external party can be compelled to produce them.
Feature
Keys Api
US Cloud (AWS/Azure/GCP)
EU Cloud (OVH/Hetzner/Scaleway)
ABP Framework
Encrypted storage at rest
✓
✓
✓
—
Per-record encryption key
✓
Varies¹
—
—
Application-layer envelope encryption
✓
—
—
—
Structural application isolation
✓
Policy-based
Policy-based
—
In-memory caching
✓
Client SDK
Client SDK
✓
Official .NET client package
✓
✓
—
✓ (Native .NET)
Self-hosted
✓
—
—
✓
Unified platform management
✓
—
—
—
CLOUD Act exempt
✓
—
✓²
✓
Air-gappable
✓
—
—
✓
No third-party data custody
✓
—
—
✓
¹ US cloud providers use different key management approaches: AWS Secrets Manager uses unique DEKs per write; Azure Key Vault uses per-vault keys; GCP Secret Manager supports per-secret CMEK.
² EU cloud providers (OVHcloud, Hetzner, Scaleway) are not subject to the US CLOUD Act. However, data remains on the provider's infrastructure — CLOUD Act exemption does not mean sole data custody.