Home
See it in action¶
# Contributor — write-only, no private key required
byreis submit --key STRIPE_API_KEY
# Admin — review the real value, then merge
byreis review --pr myorg/my-app-secrets#42
byreis admin merge --pr myorg/my-app-secrets#42 --expect <pin> \
--project myapp --file secrets/production.enc.yaml
# Admin — consume the secrets without ever writing them to disk
byreis run --project myapp --file secrets/production.enc.yaml -- ./server
Access level is derived from cryptographic reality, never from a config flag or environment variable. If you can decrypt a project file and your public key is in the verified admin registry, you are an admin. Otherwise you are a contributor.
-
Getting started
Install byreis, initialize a project, submit your first secret, and read it back as an admin.
-
Features
The full capability set by role: what a contributor can do, what an admin can do, and the guarantees that hold across both.
-
Security model
How asymmetric access works: native
ageencryption, the two-repo trust model, fail-closed mode detection, and the trustworthy audit trail. -
User guide
The complete reference for every workflow, command, configuration value, and environment variable.
Why byreis?¶
Existing tooling forces a trade-off:
- SOPS + age — zero-infra and git-native, but symmetric: anyone with a key reads everything, and a keyless contributor cannot edit a shared environment file at all.
- Server-based managers — good UX, but require infrastructure or a vendor.
- Kubernetes-only controllers — not usable for plain local or CI workflows.
byreis fills the gap: the only zero-infra, plain-git tool where people who must never read secrets can still safely add and update them.
Where to next¶
- New here? Start with Getting started.
- Evaluating? Read the Security model and Features.
- Operating byreis? See the runbooks and the user guide.
- Latest changes are in the release notes.