Unleash the Power of Rot

Secure Secrets Management for the Modern Sysadmin

Bulletproof Encryption

Generate keys and values using the latest and greatest encryption standards. Sleep soundly knowing your secrets are safe.

Version Control for Secrets

Track changes and revert to previous versions with ease. No more scrambling to remember what went wrong.

Unbreakable Sharing

Securely share secrets among your team. No single point of failure, just peace of mind.

Future-Proof Encryption

Rekey your encrypted values to the latest standards with minimal effort. Your secrets stay safe, even as technology evolves.

Effortless Collaboration

Share secrets securely within your team and control access with granular permissions.

# Initialize rot.jsonnet and a key for Alice
$ rot init mykeyring alice
New Password (empty string skips PBKDF):
Confirm Password (empty string skips PBKDF):

# Add Bob's public key
$ rot key-add-pub bob ed25519public:MCowBQYDK2VwAyEAAYkJzjQGb+4I7bfcaq6TnkI6nWJXolUdYSQDKSZIDZU=:bob

# Grant Bob access to our Keyring
$ rot key-add-prv bob mykeyring

Keep It Safe, and Versioned

Values are added with zero-knowledge of the encryption key, and versioned by timestamp

# Add a Value
$ rot val-add mykeyring/prd/database/secret database=backend1

# Replace it
$ rot val-add mykeyring/prd/database/secret database=backend2

# List the Values
$ rot val-lst mykeyring
  "mykeyring/prd/database/secret": [

# View it--need access to decrypt!
$ rot val-dis mykeyring/prd/database/secret
Password for alice:
  "meta": {
    "database": "backend2"
  "modified": "2024-04-26T12:32:44Z",
  "value": "hunter2"

Convert Everything

Manage all kinds of cryptographic keys: PEM, SSH, X509, JWT, and more

# Generate a public/private keypair
$ rot key-new
  "privateKey": "ed25519private:MC4CAQAwBQYDK2VwBCIEIHZm1QM2sOFMWwJpmSptFkb2KsndJzebZZ8V8ogaMB9z:q5cnabsnVa",
  "publicKey": "ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa"

# Convert it to PEM
$ rot pem ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa

-----END PUBLIC KEY-----

# Convert it to SSH
$ rot ssh-dis ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGHrOcBFyB4tamkDQjUSm6nIIt6kNO0AG0sdnuy4DoVa

# Generate an X.509 CA
$ rot x509-new -c -n "My CA" ed25519private:MC4CAQAwBQYDK2VwBCIEIHZm1QM2sOFMWwJpmSptFkb2KsndJzebZZ8V8ogaMB9z:q5cnabsnVa ed25519public:MCowBQYDK2VwAyEAYes5wEXIHi1qaQNCNRKbqcgi3qQ07QAbSx2e7LgOhVo=:q5cnabsnVa | rot x509-dis -
  "CommonName": "My CA",
  "IsCA": true,