Introduction
zopp is the open-source secrets manager that keeps your team's secrets safe with zero-knowledge encryption. Self-host it, own your data, and stay in control.
Why zopp?
Zero-Knowledge
Your secrets are encrypted client-side before they ever reach the server. The server stores only encrypted blobs and can never see your plaintext data.
Self-Hostable
Deploy zopp on your own infrastructure. No vendor lock-in, no third-party access to your secrets. Your data stays where you control it.
CLI-First
Designed for developers who live in the terminal. Import/export .env files, inject secrets into processes, and integrate with your existing workflow.
Team Collaboration
Share secrets securely across your team with workspace invites. Fine-grained RBAC controls who can read, write, or admin each environment.
Quick Example
# Set a secret
zopp secret set DATABASE_URL "postgresql://user:pass@localhost/db"
# Get a secret
zopp secret get DATABASE_URL
# Run a command with secrets injected
zopp run -- npm start
# Export to .env file
zopp secret export -o .env
How It Works
zopp uses a hierarchical key encryption scheme:
User
└── Principal (your device)
└── Workspace (your team)
└── KEK (wrapped per-principal via ECDH)
└── Environment (dev, staging, prod)
└── DEK (wrapped with KEK)
└── Secrets (encrypted with DEK)
Every layer is encrypted. The server only stores wrapped keys and encrypted secrets—it never has access to plaintext.
Getting Started
Quickstart
Get up and running in 5 minutes with our quickstart guide.
Installation
Multiple ways to install: CLI, Docker, or Kubernetes.
Core Concepts
Learn about workspaces, projects, and environments.
Self-Host
Deploy your own zopp server with our self-hosting guide.