End-to-end encrypted secrets management for engineering teams — from local dev to Kubernetes production.
Phase Console is an open source platform that helps engineering teams securely manage, rotate, and deploy application secrets and environment variables across development, staging, and production environments. It uses end-to-end encryption with XChaCha20-Poly1305 and X25519 key exchange, meaning secrets are encrypted on the client before reaching the server — the platform never has access to plaintext values.
The platform offers a complete ecosystem: a web dashboard for secret lifecycle management, a CLI for local development and runtime injection, a Kubernetes Secrets Operator for cluster sync, a Terraform provider for infrastructure-as-code workflows, and SDKs for Node.js, Python, and Go. It supports both cloud-hosted and fully self-hosted deployments via Docker Compose or Helm charts.
Engineering teams use Phase to eliminate hardcoded credentials, enforce role-based access control per application and environment, and automate secret syncing to third-party platforms including GitHub Actions, GitLab CI, Vercel, Cloudflare Pages, Railway, and AWS Secrets Manager.
An enterprise ee/ tier unlocks dynamic secret generation (short-lived AWS credentials with automatic TTL revocation), SSO/SAML integrations, advanced billing controls, and IP allowlisting — all behind a subscription-gated license verified on-disk via an Ed25519-signed token.
.env files, inject secrets as environment variables into running processes at launch, or spawn a virtual shell with secrets pre-loaded — without modifying application code.Architecture
Phase Console is a monorepo with a clear frontend/backend split enforced at the Docker service boundary. The Django backend follows a layered architecture — REST and GraphQL views handle HTTP concerns, utility modules isolate business logic (secrets operations, cryptography, access checks, audit logging), and models own persistence. Enterprise features live entirely in the ee/ directory, which is gated behind license verification without contaminating the MIT-licensed core. RQ workers backed by Redis handle async tasks such as secret syncing to third-party platforms and dynamic secret lease revocation on a scheduled basis, keeping HTTP request handlers fast and stateless. The Next.js frontend communicates via both REST and Apollo GraphQL depending on query complexity, and libsodium-wrappers-sumo handles client-side crypto so plaintext values never leave the browser unencrypted.
Tech Stack The backend is Django 4.2 with Django REST Framework and djangorestframework-camel-case for consistent JSON contracts, plus Graphene-Django providing a parallel GraphQL endpoint for the frontend’s Apollo Client. PostgreSQL stores all secrets metadata and user state via psycopg2, and Redis serves as both the RQ job broker and a caching layer. PyNaCl (Python libsodium bindings) handles all cryptographic primitives — XChaCha20-Poly1305 symmetric encryption, X25519 key exchange for asymmetric operations, and blake2b for environment-scoped key digests. The frontend is Next.js 14 with React 18, NextAuth for session management, and PostHog for product analytics. All services are orchestrated with Docker Compose behind an Nginx reverse proxy that handles SSL termination, with separate compose files for development, staging, and production.
Code Quality
The codebase has comprehensive test coverage across backend concerns — pytest-based tests cover secrets API scoping, authentication flows, SSO provider integrations, environment key operations, service account deletion cascades, and org resolution. Frontend Jest tests complement the backend suite. Error handling is structured and explicit: custom exception classes (DynamicSecretError, TTLExceededError, LeaseExpiredError, PlanRestrictionError) propagate domain failures cleanly to HTTP responses with accurate status codes. JSON body parsing is centralized with guards against empty bodies, non-object payloads, and deep recursion. TypeScript strict mode on the frontend and consistent camelCase/snake_case conventions across layers keep the codebase readable. GitHub Actions CI runs backend and frontend pipelines on every pull request and release.
What Makes It Unique Phase’s core differentiator is genuine end-to-end encryption: secrets are encrypted by the client using libsodium before transmission, so the server stores and syncs ciphertext only — even a compromised backend cannot expose plaintext values. The dynamic secrets system goes beyond static vault patterns by generating ephemeral AWS IAM credentials on demand with a configurable TTL and scheduling automatic revocation as an RQ job, eliminating the long-lived credential problem entirely. Environment-scoped blake2b key digests prevent cross-environment secret disclosure even on shared infrastructure. The dual REST + GraphQL API architecture lets the same backend serve simple SDK integrations and complex relational frontend queries without duplication.
Phase Console uses a dual-license model. Code outside the ee/ directories is MIT-licensed, meaning you can use it commercially, modify it, distribute it, and run it in production with no royalties or restrictions. Code inside ee/ directories carries the Phase Enterprise License, which permits development and testing use freely but requires a valid Phase Enterprise subscription with the correct number of seats for production use — you cannot sublicense or redistribute the enterprise code.
Running Phase yourself means you are responsible for the full operational stack: PostgreSQL database with regular backups, Redis instance for job brokering and caching, Docker or Kubernetes orchestration for the backend, frontend, nginx proxy, and RQ worker services, plus SSL certificate management. The migration service runs on startup to keep the database schema current. The RQ worker process must remain healthy for secret syncing and dynamic secret lease revocation to function. For production deployments, you will need to handle high-availability configuration, monitoring, and database failover yourself — there is no built-in clustering support.
Phase Cloud (the hosted SaaS tier) removes all of the above operational burden and adds managed upgrades, SLA-backed uptime, SOC 2 compliance infrastructure, and priority support. The hosted tier also includes the Enterprise features (dynamic secrets, SSO/SAML, IP allowlisting) bundled by plan tier rather than requiring a separately purchased license key. Self-hosters who need enterprise features must obtain and configure an offline license token; without it, ee/ functionality is either disabled or restricted to development use.