ASTIS Workload Secrets
Kubernetes secrets where infrastructure access does not mean data access.
The pod decrypts its secret in RAM. The ASTIS edge and the secret backend never see plaintext. Annual license — no per-secret or per-call billing.
Onboard a real cluster, free
Bind a workload and watch a pod decrypt its secret in RAM — the edge never sees plaintext. End-to-end round-trip is proven on a real Kubernetes cluster (HPKE-X25519), not slideware.
Self-serve: create an organization in Portal, add a domain, and bind workloads — no engineering hand-holding required. SLA is included by plan (see tiers below). The pod-side clients are open source: github.com/astis-io/astis-sdk.
List prices will rise as certifications and reference deployments land. Founding customers keep their rate.
Workload Team
Entry for platform teams running secrets in Kubernetes
- Sized for up to ~50 workload identities · 2 clusters
- Zero-knowledge edge — backend never sees plaintext
- Four-layer workload attestation (incl. image digest)
- Standard SLA
- Community support
- Upgrade to Business anytime — remaining full months credited
Workload Business
Production fleets with audit and SLA
- Sized for up to ~250 workload identities · multi-cluster
- 99.9% SLA
- Audit export (1-year retention)
- Business support hours
- Onboarding + cluster integration
Workload Enterprise
HYOK and large regulated fleets
- HYOK — org key never leaves your infrastructure
- Named Customer Success Manager
- Custom DPA / MSA contracts
- Region pinning, dedicated onboarding
- Security review on request
- $25k one-time setup
Why pay when Vault and Sealed Secrets are free? The free OSS stack leaves usable plaintext sitting in your cluster — Secrets, env vars, pod files. The license buys a different failure mode: a leaked backup, an over-scoped RBAC read, or a compromised node exposes ciphertext and the secrets of that node's services — not the whole cluster. See the row-by-row comparison.
All tiers are annual prepaid. Tiers gate scale, SLA, and key custody — not per-secret or per-call counts. Sizing bands count bound workload identities across all environments — prod, staging, and dev get the same boundary, so we don’t meter them apart. The count is visible in Portal and it sizes the license, it is not a billing meter: no overage charges, no cutoff. Run over the band temporarily and nothing changes. Sustained growth beyond the band means the next tier — move up mid-term with the remaining full months of your current plan credited, or step up at renewal.
ASTIS Workload Secrets is available and self-serve in Portal. SLA is set by plan; the pod-side SDKs and cluster examples are open source on GitHub (astis-io). Current list prices are founding-customer rates and will increase for new customers as the platform matures; existing customers are honored under their agreement. See Terms for details.
Why this differs from a secrets manager
Tools that hand secrets to your pods decrypt them on a central gateway or hold plaintext in a backend. ASTIS does neither: the pod unwraps in RAM and the edge stays zero-knowledge. A stolen API key or ServiceAccount token alone cannot unwrap — it is one of four required attestation layers.
Already running the API Platform? Workload Secrets rides the same scoped-key access plane — the API key is the credential, the Workload KEK + attestation are the product. Buy them together as the Developer Platform.
See all pricing