ASTIS Workload Secrets

Kubernetes secrets where infrastructure access does not mean data access.

The pod decrypts its secret in RAM. The ASTIS edge and the secret backend never see plaintext. Annual license — no per-secret or per-call billing.

Available

Onboard a real cluster, free

Bind a workload and watch a pod decrypt its secret in RAM — the edge never sees plaintext. End-to-end round-trip is proven on a real Kubernetes cluster (HPKE-X25519), not slideware.

Self-serve: create an organization in Portal, add a domain, and bind workloads — no engineering hand-holding required. SLA is included by plan (see tiers below). The pod-side clients are open source: github.com/astis-io/astis-sdk.

How it works
Founding customer pricing

List prices will rise as certifications and reference deployments land. Founding customers keep their rate.

Platform entry

Workload Team

Entry for platform teams running secrets in Kubernetes

$18,000/ per year
  • Sized for up to ~50 workload identities · 2 clusters
  • Zero-knowledge edge — backend never sees plaintext
  • Four-layer workload attestation (incl. image digest)
  • Standard SLA
  • Community support
  • Upgrade to Business anytime — remaining full months credited
Request access
Sales-light

Workload Business

Production fleets with audit and SLA

$60,000/ per year
  • Sized for up to ~250 workload identities · multi-cluster
  • 99.9% SLA
  • Audit export (1-year retention)
  • Business support hours
  • Onboarding + cluster integration
Request access
Sales-led

Workload Enterprise

HYOK and large regulated fleets

From $120k/ per year
  • HYOK — org key never leaves your infrastructure
  • Named Customer Success Manager
  • Custom DPA / MSA contracts
  • Region pinning, dedicated onboarding
  • Security review on request
  • $25k one-time setup
Talk to sales

Why pay when Vault and Sealed Secrets are free? The free OSS stack leaves usable plaintext sitting in your cluster — Secrets, env vars, pod files. The license buys a different failure mode: a leaked backup, an over-scoped RBAC read, or a compromised node exposes ciphertext and the secrets of that node's services — not the whole cluster. See the row-by-row comparison.

All tiers are annual prepaid. Tiers gate scale, SLA, and key custody — not per-secret or per-call counts. Sizing bands count bound workload identities across all environments — prod, staging, and dev get the same boundary, so we don’t meter them apart. The count is visible in Portal and it sizes the license, it is not a billing meter: no overage charges, no cutoff. Run over the band temporarily and nothing changes. Sustained growth beyond the band means the next tier — move up mid-term with the remaining full months of your current plan credited, or step up at renewal.

ASTIS Workload Secrets is available and self-serve in Portal. SLA is set by plan; the pod-side SDKs and cluster examples are open source on GitHub (astis-io). Current list prices are founding-customer rates and will increase for new customers as the platform matures; existing customers are honored under their agreement. See Terms for details.

Why this differs from a secrets manager

Tools that hand secrets to your pods decrypt them on a central gateway or hold plaintext in a backend. ASTIS does neither: the pod unwraps in RAM and the edge stays zero-knowledge. A stolen API key or ServiceAccount token alone cannot unwrap — it is one of four required attestation layers.

Read the architecture

Already running the API Platform? Workload Secrets rides the same scoped-key access plane — the API key is the credential, the Workload KEK + attestation are the product. Buy them together as the Developer Platform.

See all pricing