Skip to content
VaultTerm

security --model --verbose

Security you can account for.

A security product should be honest about its model. Here is exactly how VaultTerm protects your secrets and sessions — and what it does and does not claim.

broker --explain

How the broker handles your access

Decrypt in memory for an authorized session, enforce policy and JIT, broker it to the host, and record every step.

You & your team request access VaultTerm broker › decrypt in memory › enforce policy + roles › just-in-time access › no plaintext at rest Hosts & secrets SSH · DBs · APIs Tamper-evident audit every access recorded

Envelope encryption, no plaintext at rest

Every secret is encrypted with a per-record data key, which is itself wrapped by a key-encryption key. Keys are rotated and never stored beside the data they protect.

Audited access broker

The server decrypts a secret in memory only for an authorized, audited session — then discards it. We do not claim zero-knowledge; we claim a broker you can actually account for.

Tamper-evident audit trail

Every secret read, every session, every grant and revocation is recorded and attributable. This is the evidence security and compliance teams ask for.

Privacy-first AI

AI assistance defaults to a self-hosted model on your own network. Terminal output and secrets never leave the LAN unless you explicitly allow it — and only behind a redaction gate.

Least privilege & JIT

Role-based access to shared vaults plus just-in-time elevation that expires on its own. No standing credentials scattered across laptops.

Built on a modular monolith

A single hardened backend with clear module boundaries — auth, vault, ssh, terminal, audit — rather than a sprawling attack surface to secure.

Customer-managed, HSM-backed keys

Enterprise can seal VaultTerm's envelope-encryption master key under a HashiCorp Vault Transit key — itself HSM- or auto-unseal-backed — so the master is unsealed only in memory at boot and never sits at rest in our control plane.

Streams to your security stack

Forward security events in real time to Splunk and Microsoft Sentinel, sync secrets with your own HashiCorp Vault (KV v2), and provision via SCIM — VaultTerm fits the SIEM and secrets stack you already run.

Frequently asked

Is VaultTerm zero-knowledge?

No — and we won't pretend otherwise. VaultTerm is an audited access broker: the server decrypts in memory for authorized, audited sessions so it can broker SSH access and enforce policy. Secrets are never stored as plaintext, and every access is on the record.

Where does my data live?

Secrets are envelope-encrypted at rest. Enterprise plans support data-residency controls and self-hosted AI so sensitive output stays on your own network.

What is your compliance posture?

VaultTerm is built toward SOC 2, with audit logging, access controls, and tamper-evident records as first-class features. A DPA and subprocessor list are available for enterprise customers.

How do you handle AI and my terminal output?

AI defaults to a self-hosted model on your LAN. Any cloud LLM use is opt-in and passes through a redaction gate first, so raw terminal output and secrets are not sent off-network by default.

Can we manage our own encryption keys?

Yes, on Enterprise. VaultTerm's envelope-encryption master key can be sealed under a HashiCorp Vault Transit key — which can itself be HSM- or auto-unseal-backed — and is unsealed only in memory at boot. Per-record data-key wrapping stays local, so there's no hot-path cost and no plaintext at rest.

Can VaultTerm plug into our SIEM and secrets manager?

Yes. Security events stream in real time to Splunk and Microsoft Sentinel (plus Slack, PagerDuty and webhooks), a pull Events API covers full-stream export, and Enterprise can sync credentials with your own HashiCorp Vault (KV v2) — push, pull or bidirectional with conflict detection.

Request access security.txt