Skip to content
Tasker Work
Secret VaultTasker Work

Your project secrets,
safe in the vault.

API tokens, database passwords, certificates and confidential notes — all live in per-project, end-to-end encrypted vaults right next to the tasks that use them.

Start for free See all features
Tasker Work — Secret Vault
Project Vaults
Production12
Staging8
Database6
OAuth Apps4
Certificates3
On-call Notes7
production-apiKEY_VALUE Encrypted
API_BASE_URL
https://api.taskerwork.com/v2
API_KEY
••••••••••••••••••••
SIGNING_SECRET
••••••••••••••••••••
Last revealed 14m ago — alex@team
AES-256-GCM
Key versionv3
AES-256-GCM
600k PBKDF2 iterations
Envelope encryption
Audit log
4 secret types
Role-based access
Key rotation
Per-project isolation
No client-side cache
Envelope Encryption

Four layers of encryption, zero grey area.

Every secret is protected by an envelope encryption hierarchy with four independent layers. Each layer has its own key and its own encryption context.

  • AES-256-GCM authenticated encryption — a single byte change in ciphertext fails decryption
  • KEK derived with PBKDF2-SHA256 at 600,000 iterations
  • Per-vault Vault Master Key (VMK) wrapped with AES-256-GCM
  • Per-secret Data Encryption Key (DEK) derived deterministically with HKDF-SHA256 — no extra storage
  • Key versioning — rotating the KEK only re-wraps VMKs, no ciphertext is touched
Encryption hierarchy
ENV
Environment Secret
Lives only in server memory — never persisted to the database
256-bit
KEK
Key Encryption Key
Derived via PBKDF2-SHA256, 600,000 iterations
PBKDF2
VMK
Vault Master Key
Per-vault, AES-256-GCM wrapped, stored encrypted
AES-256-GCM
DEK
Data Encryption Key
Derived per-secret with HKDF-SHA256 — encrypts ciphertext
HKDF-SHA256
TEXT
Single-line value
API tokens, S3 keys, JWT secrets — anything that fits on one line.
sk_live_4eC39H...
KEY_VALUE
Key-value bundle
DB connection strings, OAuth credentials, complete config blocks.
DB_HOST=… DB_USER=…
FILE
Binary file
PEM keys, JSON service accounts, .key certificates up to 256 KB.
svc-account.json
NOTE
Rich markdown note
Recovery codes, on-call playbooks, breakglass procedures.
# Recovery codes\n1. ABCD-EFGH…
Secret Types

The right shape for every secret.

Plain-text tokens, structured key-value blocks, binary files or markdown notes — every secret type is stored and rendered the way it makes sense.

  • TEXT — single-line values for API tokens, S3 keys, JWT secrets
  • KEY_VALUE — key-value groups for DB connection strings, OAuth credentials
  • FILE — .pem, .key, JSON service account files (up to 256 KB)
  • NOTE — rich markdown notes for recovery codes, on-call playbooks
  • All types share the same encryption pipeline; the UI picks the right viewer
Audit & Reveal

Every reveal, on the record.

Anyone who looks at a secret always creates an audit log entry. Reveal is never cached client-side — every fetch round-trips to the server and leaves a trail.

  • All CREATE, READ, UPDATE, DELETE, REVEAL and ROTATE events persisted
  • Each entry stores IP address, User-Agent, user, target secret and timestamp
  • Reveal is never client-cached — every call hits the server for audit accuracy
  • Filtered views: search by secret, action type or user
  • Exportable log stream for compliance and incident response
Audit log Live
A
alex@teamREVEALproduction-api
14:32:08 UTC203.0.113.42
S
sarah@teamROTATEsigning-secret
14:18:41 UTC198.51.100.7
J
jake@teamCREATEstaging-db-creds
13:55:12 UTC198.51.100.7
M
maya@teamUPDATEoauth-client
13:41:09 UTC203.0.113.88
A
alex@teamDELETElegacy-token
13:22:47 UTC203.0.113.42
Showing 5 eventsUnlimited retention
Platforms built on the same standard
Apple logo
Apple
iCloud, FileVault, iMessage
Google Cloud logo
Google Cloud
GCP KMS, Drive
WhatsApp logo
WhatsApp
End-to-end messaging at scale
Cloudflare logo
Cloudflare
TLS 1.3 termination
Signal logo
Signal
Secure messaging protocol
1Password logo
1Password
Password vault encryption
Apple logo
Apple
iCloud, FileVault, iMessage
Google Cloud logo
Google Cloud
GCP KMS, Drive
WhatsApp logo
WhatsApp
End-to-end messaging at scale
Cloudflare logo
Cloudflare
TLS 1.3 termination
Signal logo
Signal
Secure messaging protocol
1Password logo
1Password
Password vault encryption
Encryption Standard

AES-256-GCM — the same cipher TLS, AWS and governments use

Tasker Work runs on the same cryptographic standard behind TLS 1.3, AWS S3 server-side encryption and Apple iCloud. 2^256 possible key combinations push brute-force attacks far past the age of the universe, and GCM mode catches even a single byte of tampering in the ciphertext and refuses to decrypt.

NIST FIPS 197TLS 1.3AEAD
Permissions

Exactly the right access for every secret.

Role-based access at the vault level — project membership is not enough; you must be explicitly invited to every vault.

Admin

Workspace
  • Create, rename and delete vaults
  • Add, remove and re-role members
  • View the full audit log
  • Full secret CRUD across the workspace

Editor

Per vault
  • Create & edit secrets
  • Reveal any secret in the vault
  • Trigger key rotation
  • Cannot manage members or delete vault

Viewer

Per vault
  • Read-only access to secrets
  • Every reveal still logged
  • Cannot create or edit
  • Cannot rotate or delete
600k
PBKDF2 iterations
AES-256
GCM authenticated encryption
4
Secret types
Vaults per project

Your secrets,
with their projects.

Secret Vault keeps shared passwords and tokens in the same place as the tasks that use them — no off-the-record docs, no leak risk.

Get started free See all features