Security

Bank-grade encryption. Zero-trust architecture.

We designed Egg Carton to be auditable at every layer. Here's exactly how your secrets are protected.

How it works

Encryption that feels like magic.

Every secret gets its own unique encryption key. That key is itself encrypted by AWS KMS. Only you can decrypt it.

๐Ÿ“

Plaintext

sk-ant-abc123โ€ฆ

AES-256-GCM
๐Ÿ”‘

Fresh DEK

KMS generates unique key

Wrapped DEK
โ˜๏ธ

AWS KMS

Encrypts DEK with master key

At rest
๐Ÿ—„๏ธ

DynamoDB

Stores ciphertext + encrypted DEK

Envelope encryption

Each secret has its own DEK. Compromise one key = compromise one secret, not all.

Single-use keys

After every read, a fresh DEK is generated and the old one is gone. No key reuse.

Zero plaintext logs

We never log your secrets or your keys โ€” not even for debugging. That's the contract.

You focus on code. We own the infrastructure.

We run Egg Carton on AWS โ€” but that's our problem, not yours. You get enterprise-grade encryption without touching a single IAM policy.

You handle

  • โœ“Install the CLI
  • โœ“Run egg login
  • โœ“Store and retrieve secrets
  • โœ“Use secrets in your code or agents

We handle

  • โœ“AWS account provisioning
  • โœ“KMS key management + rotation
  • โœ“DynamoDB encryption at rest
  • โœ“IAM roles, policies, and permissions
  • โœ“TLS termination and API Gateway auth
  • โœ“Cognito user pool and Google IdP setup

Zero-trust model

Every request is verified, not trusted.

Authentication and authorization happen independently on every API call. No sessions, no persistent credentials, no implicit trust.

JWT validation on every request

API Gateway validates Cognito JWTs before any Lambda runs. Invalid or expired tokens are rejected at the edge โ€” no code ever runs.

sub-scoped data isolation

Your Cognito sub claim is the DynamoDB partition key. Every Lambda handler verifies the JWT sub matches the owner path parameter โ€” no cross-user access is possible.

Short-lived tokens

OAuth access tokens expire after 1 hour. The CLI handles refresh automatically. We never store credentials โ€” only your encrypted secrets.

Zero plaintext at rest

DynamoDB stores only AES-256-GCM ciphertext and KMS-encrypted DEKs. Plaintext secrets never touch disk. KMS decryption requires a valid JWT on every read.

Compliance posture

Built on infrastructure that passes audits.

We inherit SOC 2 compliance from AWS KMS and DynamoDB, so you get enterprise-grade guarantees without the enterprise procurement process.

TLS 1.2+

All traffic is encrypted in transit via API Gateway + ACM certificates.

AWS KMS SOC 2

KMS is SOC 2 Type II certified. Key rotation is enabled by default on the Egg Carton master key.

DynamoDB SOC 2

DynamoDB is SOC 2 Type II, ISO 27001, and PCI DSS Level 1 certified. At-rest encryption uses the same KMS key.

No plaintext logs

CloudWatch Lambda logs are structured and never include secret values or plaintext DEKs โ€” contractually enforced by our logging conventions.

Immutable audit trail

Every API call is logged with timestamp, owner sub, and secret ID (never value). Pro and Team plans surface this as access logs.

Open-source CLI

The CLI is open source. Inspect exactly what gets sent to the API before you trust it with your secrets.

Verify it yourself

Don't trust us. Read the code.

The CLI is fully open source. Every encryption operation, every API call, every auth flow is auditable. If you find a bug, open an issue. If you find a vulnerability, email us directly.

View CLI source