Your secrets. Your network. Your rules.
Run sirrd on your own infrastructure with a single binary. Free under BSL 1.1 — no license key, no limits. Secrets never leave your network.
Running in 30 seconds
# Start sirrd
$ docker run -d -p 39999:39999 ghcr.io/sirrlock/sirrd
# Push a secret (expires after 1 read)
$ curl -X POST localhost:39999/secrets -d '{"value":"postgres://...","max_reads":1}'
# Read it back
$ curl localhost:39999/secrets/<id>
postgres://user:pass@host/db
# Read again — burned
$ curl localhost:39999/secrets/<id>
404 — burnedMonitor every instance from one dashboard
Get a live view of all registered instances on sirrlock.com — version, uptime, secret count, health status.
Nothing leaves your network
sirrd runs entirely inside your infrastructure. No external calls. Fully air-gap capable.
Your Network Boundary
sirrd
Single Rust binary
redb
Embedded database
ChaCha20Poly1305
Encryption at rest
Built for production
Single Binary
No runtime dependencies. No JVM. No garbage collector. Ships as one executable or one Docker image.
Embedded Database
redb — a Rust-native embedded database. No PostgreSQL, no Redis, no external state to manage.
ChaCha20Poly1305
Every secret encrypted at rest with ChaCha20Poly1305. Master key loaded from file, never from env vars.
BSL 1.1 License
Free to self-host with no limits and no license key. Converts to Apache 2.0 in February 2028.
Webhooks
Fire events on secret.created, secret.read, secret.burned, secret.expired. Integrate with any system.
Audit API
Structured audit log for every operation. Export to your SIEM. Prove deletion for SOC 2 and ISO 27001.
How we compare
| Feature | Sirr Self-Hosted | Vault HCP | AWS Secrets Manager |
|---|---|---|---|
| Starting price | $0 (free tier) | $360/mo ($4,320/yr) | $0.40/secret/mo |
| Setup | One binary, one command | Cluster + unseal ceremony | AWS account + IAM policies |
| Burn-after-read | Native, default behavior | Not supported | Not supported |
| Database | Embedded (zero ops) | Consul / Raft | Managed (AWS-only) |
| AI/MCP integration | Built-in MCP server | None | None |
| Air-gap support | Yes, fully offline | Yes | No |