Skip to content

Sam Gabrail – Platform Engineer

Secure Secrets with Zero Knowledge

Managing secrets is the backbone of secure and efficient operations.

Akeyless is your next generation secrets management solution where security meets simplicity.

I can sum up why customers like Akeyless into three main reasons.

First, ease of management with high availability baked in since it’s a SaaS.

Number two is the reduced total cost of ownership. As you scale, you don’t really need to add more clusters.

And number three, one integrated solution for secrets management, secure remote access, password management, and encryption and KMS.

Now the first question that you need to be thinking is how can you trust a SaaS offering with your secrets? I’m glad you asked because in this demo, we’ll cover this and more, so stay tuned. Akeyless has a patented technology called distributed fragments cryptography or DFC for short. This allows using fragments of an encryption key without ever combining the key fragments, which means Akeyless can store fragments of an encryption key in different regions in different cloud providers and never combine those fragments.

So for an attacker to try to access your secrets, they would need to run a simultaneous attack across all three clouds to get access to these secrets, which is very difficult to achieve. Now you might be thinking, well, Akeyless has access to my secrets, and that’s where the customer fragment comes into play. You can enable zero knowledge encryption by creating your very own customer fragment, so not even Akeyless can view your secrets. Just make sure you don’t lose that fragment since there’s no recovering from that.

Alright. So let’s take a look at this diagram here. You can see that the diagram is split into two sections. On the left hand side is our public network.

This is the external environment. This is where the Akeyless console or SaaS lives.

And then you’ve got the Akeyless gateway and you can have a number of gateways that can sit on premises, can sit in your VPCs, your private clouds in different clouds, AWS, Azure, GCP, and so on. Now for your internal users or employees or vendors, they can access the secrets directly by talking to your Akeyless gateway. We’re now inside of the Akeyless console, and, this is the SaaS back end. So what we wanna do, first of all, is create a gateway.

Right? The first thing I wanna do, create a gateway. I have one running already, but I’m gonna create a new one. So I can click new here, and it gives me instructions whether I wanna run a Docker container or run this in Kubernetes and I have the Helm instructions for me here.

I’m simply gonna use a Docker and it gives you here what you need to do, but I already have my visual studio code repo, and I’ve got some instructions that we’re just gonna follow. And before we actually create the default gateway, I want to create a customer fragment. I’m going to create this customer fragment and drop it in this file, customer fragments dot json, which looks something like this.

Okay. So here I have it. This needs to be secured. Okay. And you got to make sure you don’t lose this because nobody can retrieve it if you lose it. So you got to make sure you save it in a very secure place.

Excellent. So next step for us is to create the gateway and we have our Docker run command here, and it does reference our customer fragment JSON file that you can see here. It’s using the dash V flag to tie in the customer fragment into the home Akeyless path where it expects a customer fragment to be. Okay.

And then the admin access, I’m just using my default super user email to start off just for this demo. And from here, what we can see now is our Docker container running. So run Docker PS, have a bunch of containers, but the one I’m interested in is this one, the Akeyless here. The gateway is gonna run on, port eight thousand here for the configuration.

So let’s take a look at that and see what that looks like.

So I am on local host and port eighty eight thousand local host port eight thousand. Let’s say this a bit bigger.

You can see that it’s still loading. So if I go back, take a look at my logs.

We can see here what’s going on.

Important thing to make sure that we have access that the gateway has access to our backend SaaS. So just keep scrolling here.

Okay.

Starting up network connectivity check successful. So this is quite promising. That looks good. And there we go.

So let’s go ahead and switch this over to password.

We’ll put in our email and password.

And once again, we are in the gateway configuration UI.

Excellent. Everything looks great. We have our gateway cluster URL as you can see here.

And if you go to zero knowledge encryption, we can see our customer fragment right here, which is really good. And please note this. In order to keep your data, including secrets, safe and accessible, back up your customer fragments in a safe and privileged storage. Akeyless does not keep a copy of your fragments on its servers, and losing them will result in losing access to any information encrypted with with the related zero knowledge DFC keys.

Now we need to remember to go back and make sure that our SaaS backend, our Akeyless SaaS backend, which is the one that doesn’t say, gateway here, the gateway itself has the proper URL. So if you go to gateway, we see it’s healthy, it’s connected, but we have a warning here that the URL is not there. So let’s put a let’s give it a display name, which we’ll call local gateway, for example. And the URL is the one we had from the gateway from over here.

And paste that here.

And the warning disappears and we have our instance running nicely. So that is excellent. Now let’s go into the Akeyless gateway console, not the configuration console, but the actual console. And this one is running on local host and port one eight eight eight eight.

And once again, we are going to log in, same admin password that we’re using. And now we’re going to go ahead and create an encryption key that’s using the customer fragment. So go to new encryption key, DFC.

From here, you can give it a name. Let’s call this encryption or let’s call this DFC encryption key customer fragment, put it in the encryption keys folder, and this will be of type AES one twenty eight GCM. That’s fine. Here’s our customer fragment that shows up here. Very cool.

And that’s it.

When you click finish, now I go into this folder and you can see this little blue dot. If you hover over, it says zero knowledge encryption, which is incredible. And you can see here at the bottom encrypted by Akeyless DFC technology and zero knowledge encryption, both are enabled for this encryption key. So then now what we can do is create a secret and this secret, let’s just choose a static secret and let’s say hello and, leave it in the root folder, generic.

And default protection, no. We need, we want the zero knowledge encryption that we created, the DFC encryption key customer fragment. That’s what we’re going to encrypt with, and it will be hello world.

Perfect. And then next, and then finish.

And now we see our secret hello has again this blue dot for zero knowledge encryption.

And from here, I can go ahead and view this. I can see it because I’m in the gateway, which is great. So now the question is, can I see it if I’m on the SaaS back end? So let’s go over to our SaaS back end and you do see the secret shows up here as well on the SaaS back end and you see still zero knowledge encryption. So let’s click on it and let’s see. Are we gonna be able to see it?

And we did see it. So here’s the catch. As a convenience feature, if the browser has network access to one of the gateways that has the customer fragment and has TLS and the users able to connect to that gateway, then the console will send the user credentials over to that gateway and facilitate the interaction for you. It will only work with a browser and under those conditions.

So then let’s test this. To test this, I’m gonna VPN to a network outside the one right now that I’m in where the gateway lives. And this is to show that Akeyless can’t pull any secret that has zero knowledge encryption from the gateway. Only you can. So Akeyless does not pull anything from the gateway.

Okay. So I’m going to VPN right here.

Just give it a minute here. Okay. So I’m VPNed. I’m outside my network right now, And now I’m going to go ahead and try to reveal the value once again and clicking here. And finally, we get this error message, failed to extract derived key, customer fragment is required but not available.

And that just shows you, again, if you don’t have that customer fragment, nobody can access this zero knowledge encrypted secret.

Okay. One last thing. Let’s go ahead and enable zero knowledge encryption on all secrets, and we can do that in the gateway’s configuration console here on port eight thousand. We can go here under defaults.

And under default encryption key, we can choose our zero knowledge encryption key that we created, Save changes.

And now if we go back to our gateway console, let’s refresh that. And if we were to create a new secret, let’s say a static secret, give it whatever name we want. I just wanna show you that at the bottom here, the protection key is by default zero knowledge encryption and nothing else.

So there’s no way for me to choose something else in this case, and I’m going to be using this encryption key.

And all my secrets, whether they’re dynamic, static secrets, whichever they are, they’re going to be using our zero knowledge encryption key. Now that we can enable zero knowledge for our secrets, we can have the confidence to use Akeyless as a SaaS secrets management solution and leverage the many features that it offers.

  • EncryptionKeyManagement_HighPerformer_Enterprise_HighPerformer
  • PrivilegedAccessManagement(PAM)_BestSupport_Enterprise_QualityOfSupport
  • PrivilegedAccessManagement(PAM)_EasiestAdmin_Enterprise_EaseOfAdmin
  • PrivilegedAccessManagement(PAM)_UsersMostLikelyToRecommend_Enterprise_Nps

© 2025 AKEYLESS. All rights reserved