Simple Secrets Manager is a lightweight, self-hosted secret manager for homelabs and small teams — clean project/config-based secret organization without enterprise overhead. One container runs the server and Admin Console, ssm-cli injects secrets into any process, and the optional ssm-reload service keeps your running containers in sync when secrets change.
My homelab grew past the point where I could keep secrets straight by hand. I run Kubernetes clusters and Docker containers and a stack of services that all need the same values kept in sync. The servers underneath need their own secrets too. Keeping everything rotating consistently across all of it was a nightmare. There was no lightweight way for me to configure and share secrets quickly and still keep an audit of who touched what. So I built one. And in the era of coding agents I also wanted every agent audited and pointed at exactly the config it is allowed to use.
| Feature | What it does | Guide |
|---|---|---|
| 🗂️ Projects, configs & inheritance | Organize secrets by project and environment such as dev, staging, and prod. Child configs inherit from their parent and override only the values that differ. |
📖 First-time setup |
| 🔗 Secret references | Compose values from placeholders like ${KEY}, ${config.KEY}, and ${project.config.KEY}. Invalid, unresolved, and circular references are rejected at save time. |
📖 CLI guide |
| 🖥️ Admin Console | Create, search, and reveal secrets in the browser. Import .env files with preview and conflict detection. Export any config as JSON or .env. Compare a key across environments to spot drift. |
📖 Server installation |
| 🔐 Tokens, RBAC & audit | Issue personal and service tokens with TTL and project scoping. Manage workspace roles and groups for least-privilege access. Review every access in a filterable audit trail. | 📖 First-time setup |
| ⚡ CLI runtime injection | Run any command through ssm-cli run and your secrets arrive as environment variables. Download, upload, and mount secret payloads for local use and CI/CD. |
📖 CLI guide |
| 🔄 Auto-sync to containers | Label a Docker container once. The ssm-reload service recreates it with fresh environment whenever its secrets change. No manual redeploys. Watch every instance and its last outcome from the Admin Console's Reloader Fleet view. |
📖 Secrets reloader |
Also in the box: automatic secret icons for large catalogs, cross-config drift detection, FIFO secret mounts, and a deprecation-stable API.
git clone https://github.com/bearlike/Simple-Secrets-Manager.git
cd Simple-Secrets-Manager
./scripts/deploy_stack.shOpen http://localhost:8080, create the first admin user, and add your first secrets.
📖 Full guide: Server installation
uv tool install git+https://github.com/bearlike/Simple-Secrets-Manager.git
ssm-cli configure --base-url http://localhost:8080/api --profile dev
ssm-cli login --profile dev
ssm-cli run --profile dev -- python app.py📖 Full guide: CLI installation & reference
services:
web:
image: myorg/web-api:latest
labels:
com.bearlike.ssm.enable: "true" # opt in
com.bearlike.ssm.config: "web/prod" # project/config to trackAlready running the stack from step 1? docker compose --profile reload up -d is the quickest way to bring ssm-reload up. Otherwise, run the service next to your workloads; any labeled container is recreated with fresh secrets when they change.
📖 Full guide: Secrets reloader
| Guide | What it covers |
|---|---|
| Server installation | Deploying the stack, endpoints, updating an existing deployment. |
| First-time setup | Bootstrapping the first admin, tokens, and workspace RBAC. |
| CLI | Installing ssm-cli, authentication, commands, resolution order. |
| Secrets reloader | Auto-syncing secrets to running Docker containers. |
| Container image | Image tags, ports, and runtime reference. |
| Contributing | Prerequisites, local development, quality gates, and commit conventions. |
Fork, branch, and open a pull request — the pre-commit hook runs the same lint/test gate as CI. Start with the contributing guide.
Found a bug or want a feature? Open an issue on the issue tracker with reproduction steps where possible.
Licensed under CC0 1.0 Universal.
