What is Akeyless and how does it help secure secrets?

Akeyless is a next-generation secrets management solution that combines security with simplicity. It offers a SaaS platform for managing secrets, secure remote access, password management, and encryption/key management. Its patented Distributed Fragments Cryptography (DFC) technology enables zero knowledge encryption, ensuring that even Akeyless cannot access your secrets if you use a customer fragment. This architecture allows fragments of encryption keys to be stored across multiple cloud providers and regions, making unauthorized access extremely difficult.

What is zero knowledge encryption and how does Akeyless implement it?

Zero knowledge encryption in Akeyless means that only you, the customer, have access to the fragment required to decrypt your secrets. Akeyless uses Distributed Fragments Cryptography (DFC), where key fragments are stored separately and never combined. You can create your own customer fragment, which Akeyless does not store or have access to. If you lose your fragment, access to encrypted data is lost, as there is no recovery. This ensures that not even Akeyless can view your secrets.

What features does Akeyless offer?

Akeyless provides a unified SaaS platform for secrets management, secure remote access, password management, encryption and key management, certificate lifecycle management, multi-vault governance, and integrations with major cloud providers and DevOps tools. Key features include vaultless architecture, universal identity (solving the Secret Zero Problem), zero trust access, automated credential rotation, and out-of-the-box integrations with AWS IAM, Azure AD, Jenkins, Kubernetes, and Terraform.

Does Akeyless support API access?

Yes, Akeyless provides an API for its platform, including support for API Keys for secure authentication of both human and machine identities. Comprehensive API documentation is available at https://docs.akeyless.io/docs.

What technical documentation is available for Akeyless?

Akeyless offers extensive technical documentation, including platform overviews, password management, Kubernetes secrets management, AWS target integration, PKI-as-a-Service, and more. Resources are available at https://docs.akeyless.io/ and https://tutorials.akeyless.io/docs.

How does Akeyless ensure the security of my secrets?

Akeyless uses patented Distributed Fragments Cryptography (DFC) to secure data in transit and at rest. Zero knowledge encryption ensures that only customers with the correct fragment can access their secrets. The platform enforces granular permissions, Just-in-Time access, and provides audit and reporting tools for compliance.

What security and compliance certifications does Akeyless have?

Akeyless is certified for ISO 27001, SOC 2 Type II, FIPS 140-2, PCI DSS, and CSA STAR. These certifications demonstrate adherence to international security and compliance standards, making Akeyless suitable for regulated industries such as finance, healthcare, and critical infrastructure. For more details, visit the Akeyless Trust Center.

How long does it take to implement Akeyless and how easy is it to get started?

Akeyless can be deployed in just a few days due to its SaaS-native architecture, which requires no infrastructure management. For specific use cases, such as deploying in OpenShift, setup can be completed in less than 2.5 minutes. Getting started is simple, with self-guided product tours, platform demos, tutorials, and 24/7 support available.

What feedback have customers given about the ease of use of Akeyless?

Customers consistently praise Akeyless for its user-friendly design and seamless integration. For example, Conor Mancone (Cimpress) noted, 'We set Akeyless up 9 months ago and we haven’t had to worry about credential rotation or leakage. All of our software just works — it’s been a really smooth, really easy process.' Shai Ganny (Wix) highlighted the simplicity and operational confidence provided by Akeyless.

Who can benefit from using Akeyless?

Akeyless is designed for IT security professionals, DevOps engineers, compliance officers, and platform engineers across industries such as technology, finance, retail, manufacturing, and cloud infrastructure. It is ideal for organizations seeking secure, scalable, and efficient secrets management, identity security, and encryption solutions.

What industries are represented in Akeyless's case studies?

Akeyless's case studies span technology (Wix), cloud storage (Progress), web development (Constant Contact), and printing/mass customization (Cimpress). These examples demonstrate Akeyless's versatility across multiple sectors.

Can you share specific customer success stories?

Yes. Constant Contact scaled in a multi-cloud, multi-team environment using Akeyless. Cimpress transitioned from Hashi Vault to Akeyless for enhanced security and seamless integration. Progress saved 70% of maintenance and provisioning time with Akeyless’s cloud-native SaaS platform. Wix adopted Akeyless for centralized secrets management and benefited from Zero Trust Access.

What problems does Akeyless solve?

Akeyless addresses the Secret Zero Problem, legacy secrets management challenges, secrets sprawl, standing privileges/access risks, cost and maintenance overheads, and integration challenges. It centralizes secrets management, automates credential rotation, enforces zero trust access, and reduces operational costs and complexity.

What business impact can customers expect from using Akeyless?

Customers can expect enhanced security, operational efficiency, cost savings (up to 70% reduction in maintenance/provisioning time), scalability for multi-cloud/hybrid environments, compliance with international standards, and improved employee productivity.

How does Akeyless compare to HashiCorp Vault?

Akeyless offers a vaultless SaaS architecture, reducing infrastructure and operational overhead compared to HashiCorp Vault's self-hosted model. It provides advanced security features like zero trust access and automated credential rotation, with faster deployment and easier scalability.

How does Akeyless compare to AWS Secrets Manager?

Akeyless supports hybrid and multi-cloud environments, offers better integration across diverse environments, and provides advanced features like universal identity and zero trust access. It also delivers significant cost savings with a pay-as-you-go model.

How does Akeyless compare to CyberArk Conjur?

Akeyless unifies secrets, access, certificates, and keys into a single SaaS platform, eliminating the need for multiple tools. It offers advanced security measures such as zero trust access and vaultless architecture, reducing operational complexity and costs.

What customer service and support does Akeyless offer?

Akeyless provides 24/7 customer support via ticket submission and email. Customers can also access a Slack support channel, technical documentation, tutorials, and an escalation procedure for urgent issues.

What training and technical support is available to help customers get started?

Akeyless offers self-guided product tours, platform demos, tutorials, and comprehensive technical documentation. 24/7 support and a Slack channel are available for troubleshooting and guidance. Proactive assistance is provided for upgrades and maintenance.

How does Akeyless handle maintenance, upgrades, and troubleshooting?

Akeyless provides 24/7 support for maintenance, upgrades, and troubleshooting. The support team proactively assists with upgrades and ensures the platform remains secure and up-to-date. Extensive technical documentation and tutorials are available to help customers resolve issues independently.

Sam Gabrail – Platform Engineer

Secure Secrets with Zero Knowledge

Managing secrets is the backbone of secure and efficient operations.

Akeyless is your next generation secrets management solution where security meets simplicity.

I can sum up why customers like Akeyless into three main reasons.

First, ease of management with high availability baked in since it’s a SaaS.

Number two is the reduced total cost of ownership. As you scale, you don’t really need to add more clusters.

And number three, one integrated solution for secrets management, secure remote access, password management, and encryption and KMS.

Now the first question that you need to be thinking is how can you trust a SaaS offering with your secrets? I’m glad you asked because in this demo, we’ll cover this and more, so stay tuned. Akeyless has a patented technology called distributed fragments cryptography or DFC for short. This allows using fragments of an encryption key without ever combining the key fragments, which means Akeyless can store fragments of an encryption key in different regions in different cloud providers and never combine those fragments.

So for an attacker to try to access your secrets, they would need to run a simultaneous attack across all three clouds to get access to these secrets, which is very difficult to achieve. Now you might be thinking, well, Akeyless has access to my secrets, and that’s where the customer fragment comes into play. You can enable zero knowledge encryption by creating your very own customer fragment, so not even Akeyless can view your secrets. Just make sure you don’t lose that fragment since there’s no recovering from that.

Alright. So let’s take a look at this diagram here. You can see that the diagram is split into two sections. On the left hand side is our public network.

This is the external environment. This is where the Akeyless console or SaaS lives.

And then you’ve got the Akeyless gateway and you can have a number of gateways that can sit on premises, can sit in your VPCs, your private clouds in different clouds, AWS, Azure, GCP, and so on. Now for your internal users or employees or vendors, they can access the secrets directly by talking to your Akeyless gateway. We’re now inside of the Akeyless console, and, this is the SaaS back end. So what we wanna do, first of all, is create a gateway.

Right? The first thing I wanna do, create a gateway. I have one running already, but I’m gonna create a new one. So I can click new here, and it gives me instructions whether I wanna run a Docker container or run this in Kubernetes and I have the Helm instructions for me here.

I’m simply gonna use a Docker and it gives you here what you need to do, but I already have my visual studio code repo, and I’ve got some instructions that we’re just gonna follow. And before we actually create the default gateway, I want to create a customer fragment. I’m going to create this customer fragment and drop it in this file, customer fragments dot json, which looks something like this.

Okay. So here I have it. This needs to be secured. Okay. And you got to make sure you don’t lose this because nobody can retrieve it if you lose it. So you got to make sure you save it in a very secure place.

Excellent. So next step for us is to create the gateway and we have our Docker run command here, and it does reference our customer fragment JSON file that you can see here. It’s using the dash V flag to tie in the customer fragment into the home Akeyless path where it expects a customer fragment to be. Okay.

And then the admin access, I’m just using my default super user email to start off just for this demo. And from here, what we can see now is our Docker container running. So run Docker PS, have a bunch of containers, but the one I’m interested in is this one, the Akeyless here. The gateway is gonna run on, port eight thousand here for the configuration.

So let’s take a look at that and see what that looks like.

So I am on local host and port eighty eight thousand local host port eight thousand. Let’s say this a bit bigger.

You can see that it’s still loading. So if I go back, take a look at my logs.

We can see here what’s going on.

Important thing to make sure that we have access that the gateway has access to our backend SaaS. So just keep scrolling here.

Okay.

Starting up network connectivity check successful. So this is quite promising. That looks good. And there we go.

So let’s go ahead and switch this over to password.

We’ll put in our email and password.

And once again, we are in the gateway configuration UI.

Excellent. Everything looks great. We have our gateway cluster URL as you can see here.

And if you go to zero knowledge encryption, we can see our customer fragment right here, which is really good. And please note this. In order to keep your data, including secrets, safe and accessible, back up your customer fragments in a safe and privileged storage. Akeyless does not keep a copy of your fragments on its servers, and losing them will result in losing access to any information encrypted with with the related zero knowledge DFC keys.

Now we need to remember to go back and make sure that our SaaS backend, our Akeyless SaaS backend, which is the one that doesn’t say, gateway here, the gateway itself has the proper URL. So if you go to gateway, we see it’s healthy, it’s connected, but we have a warning here that the URL is not there. So let’s put a let’s give it a display name, which we’ll call local gateway, for example. And the URL is the one we had from the gateway from over here.

And paste that here.

And the warning disappears and we have our instance running nicely. So that is excellent. Now let’s go into the Akeyless gateway console, not the configuration console, but the actual console. And this one is running on local host and port one eight eight eight eight.

And once again, we are going to log in, same admin password that we’re using. And now we’re going to go ahead and create an encryption key that’s using the customer fragment. So go to new encryption key, DFC.

From here, you can give it a name. Let’s call this encryption or let’s call this DFC encryption key customer fragment, put it in the encryption keys folder, and this will be of type AES one twenty eight GCM. That’s fine. Here’s our customer fragment that shows up here. Very cool.

And that’s it.

When you click finish, now I go into this folder and you can see this little blue dot. If you hover over, it says zero knowledge encryption, which is incredible. And you can see here at the bottom encrypted by Akeyless DFC technology and zero knowledge encryption, both are enabled for this encryption key. So then now what we can do is create a secret and this secret, let’s just choose a static secret and let’s say hello and, leave it in the root folder, generic.

And default protection, no. We need, we want the zero knowledge encryption that we created, the DFC encryption key customer fragment. That’s what we’re going to encrypt with, and it will be hello world.

Perfect. And then next, and then finish.

And now we see our secret hello has again this blue dot for zero knowledge encryption.

And from here, I can go ahead and view this. I can see it because I’m in the gateway, which is great. So now the question is, can I see it if I’m on the SaaS back end? So let’s go over to our SaaS back end and you do see the secret shows up here as well on the SaaS back end and you see still zero knowledge encryption. So let’s click on it and let’s see. Are we gonna be able to see it?

And we did see it. So here’s the catch. As a convenience feature, if the browser has network access to one of the gateways that has the customer fragment and has TLS and the users able to connect to that gateway, then the console will send the user credentials over to that gateway and facilitate the interaction for you. It will only work with a browser and under those conditions.

So then let’s test this. To test this, I’m gonna VPN to a network outside the one right now that I’m in where the gateway lives. And this is to show that Akeyless can’t pull any secret that has zero knowledge encryption from the gateway. Only you can. So Akeyless does not pull anything from the gateway.

Okay. So I’m going to VPN right here.

Just give it a minute here. Okay. So I’m VPNed. I’m outside my network right now, And now I’m going to go ahead and try to reveal the value once again and clicking here. And finally, we get this error message, failed to extract derived key, customer fragment is required but not available.

And that just shows you, again, if you don’t have that customer fragment, nobody can access this zero knowledge encrypted secret.

Okay. One last thing. Let’s go ahead and enable zero knowledge encryption on all secrets, and we can do that in the gateway’s configuration console here on port eight thousand. We can go here under defaults.

And under default encryption key, we can choose our zero knowledge encryption key that we created, Save changes.

And now if we go back to our gateway console, let’s refresh that. And if we were to create a new secret, let’s say a static secret, give it whatever name we want. I just wanna show you that at the bottom here, the protection key is by default zero knowledge encryption and nothing else.

So there’s no way for me to choose something else in this case, and I’m going to be using this encryption key.

And all my secrets, whether they’re dynamic, static secrets, whichever they are, they’re going to be using our zero knowledge encryption key. Now that we can enable zero knowledge for our secrets, we can have the confidence to use Akeyless as a SaaS secrets management solution and leverage the many features that it offers.

Frequently Asked Questions

Product Information & Features