Empire Secrets Vault is a self-hosted, client-side-encrypted secrets manager — Bitwarden-compatible at the core — that plugs straight into the EAS dev-tools suite you already run. SSO via your Authentik. Secret-injection into your CI and AI agents. Audited by the same audit you already buy.
Add to your suite Why not just Bitwarden?The vault itself is a commodity. The integration is the product.
Log in with the same Authentik that fronts your Sentinel, Mutator, and Lumen. No new identity silo.
Your CI, agents, and apps pull secrets at runtime via the app-kit — no baking keys into env files.
Self-hosted on your infra (or ours, isolated). Client-side encrypted — the server only ever sees ciphertext.
The vault's event log flows into the EAS audit you already run — posture reporting on your own secrets, for free.
Bitwarden Teams is $4/seat and 1Password Business is $8/seat — and they're great if all you want is a vault. We charge a premium because you're not buying a vault, you're buying it wired into your suite: SSO, secret-injection, and audit you'd otherwise integrate yourself.
| Control | What we do |
|---|---|
| Encryption at rest | Client-side AES-256 per Bitwarden protocol — server sees only ciphertext |
| Master password | Customer-set, zero-knowledge — we cannot recover it (by design) |
| Admin surface | Argon2-hashed token, never exposed publicly, behind Authentik SSO |
| Backups | Nightly encrypted, off-host, restore-tested before go-live |
| Tenant isolation | Per-org collections (API-enforced) or dedicated container ($99) |
| Audit | Vault event log shipped to your EAS audit module |
Self-hosted, client-side encrypted, audited by the same EAS audit you already run. SOC2 is on the roadmap, not claimed today.