@flomisma/vault

Tamper-evident secret storage

AES-256-GCM encryption with per-tenant DEK derivation and a hash-chained access log. Every WRAP and UNWRAP is recorded with timestamp-locked hashes — altering history breaks the chain. Stronger audit guarantees than generic secret managers for regulated workloads.

Encrypted at rest

HKDF-derived tenant DEKs; KEK never stored with ciphertext.

Hash-chained audit log

Monotonic chainSequence + timestamp in every hash input.

HTTP + SDK

VaultHttpClient or portal /api/v1/ledger/vault routes.

import { VaultHttpClient } from '@flomisma/vault'

const vault = new VaultHttpClient({
  baseUrl: 'https://app.flomisma.com',
  ledgerApiKey: process.env.LEDGER_API_KEY!,
  tenantId: 'your-tenant-id',
})

await vault.store('stripe/secret_key', sk_live_xxx)
const { plaintext } = await vault.retrieve('stripe/secret_key')

Enterprise license →Ledger vault API →