Introducing Immutability

Secrets-Oriented Workflows and Infrastructure

Immutability is developing a set of tools and protocols to curate and provision credentials, access controls and secrets-oriented infrastructure. Explore Now

Managing fine-grain access controls and the provisioning of application credentials at scale has always been fraught with complexities. Add to that the compliance challenges of operating in a regulated environment and the operational constraints of heterogenous environments (cloud and on-prem) and things get harder. And now we have blockchain...


The Primacy of Secrets-Oriented Infrastructure and Workflows

The use of secrets underlies all of information technology - both legacy and modern. Strangely enough, the workflows for managing secrets and their access controls have rarely been effectively automated in CI/CD systems. They have often been treated as adhoc and exceptional processes with piecemeal automation.

We at Immutability believe that secrets-oriented workflows and infrastructure should be treated as first-class citizens in any automation landscape. So we have developed an innovative as-code approach to automating the entire lifecycle of secrets, access controls and the infrastructure that supports them.

Workflows, access controls and infrastructure all require governance. At the heart of our model is a curation mechanism that incentivizes quality code committers and disincentivizes deployments that don't reflect the values of stakeholders.

Read More

The Immutability Model

The main tenets of our approach

Automation is Key

Requests for access are scanned for correctness and then automatically applied. Secure introduction is automated. Renewals and rotations are automated. Even the process of moving from cold storage is automated.

It's Just Git

Want a new policy? Submit a pull request. Want a new secret? Submit a pull request. Want your infrastructure to scale differently? Submit a pull request. Everything is versioned, audited, linted and analyzed in a familar Git-Ops flow.


Policy is code. Infrastructure is code. Governance mechanisms are code. Workflows are code. Because everything is code, the intent of any action regarding the lifecycle, access and distribution of secrets is knowable.


Every secret is encrypted at rest and transit. Cryptographic keys never leave secure enclaves. Access is through short-lived tokens using fine-grained access controls. Credentials are rotated frequently. Revocation workflows are automated so as to maintain availability.

Risk is Transparent

If a secret provides access to a valuable resource, this is clearly visible in code. If a policy allowing access to that secret is risky, the curation mechanism will make that apparent.

Ownership is Paramount

Every secret is correlated to the owner(s) of the resource it is connected to. Resource owners preside over the process - they approve or reject access. Risk can be assumed at the discretion of stakeholders.

How Can Immutability Help?

While we are developing our products, we can offer:

Expert Advice

The Immutability team has years of experience designing, securing and operating enterprise-class systems at scale.

Custom Builds

The team maintains several OSS projects including HashiCorp Vault and Terraform plugins, Ethereum and Bitcoin wallets, and static security analysis of AWS infrastructure.


The League of Immutable Gentlepeople is an open community that exists to share experiences, advice and code. Connect with us.

We need immutability to coordinate at a distance and we can afford immutability as storage gets cheaper...

Immutability Changes Everything

Pat Helland, CIDR 2015

Code and Commentary

Projects, talks and articles by the team

Blockchain as a Composable Security Context

Blockchain is a composable security context that can be leveraged today to build trust and transparency among all the counterparties to the software delivery process.

Vault as a Platform for Enterprise Blockchain

This talk and live demo will show how Vault and its plugin architecture provide a framework to build blockchain wallets for the enterprise.

Using Vault to Build an Ethereum Wallet

An Ethereum Wallet is a gateway to decentralized applications on the Ethereum blockchain. It allows you to hold and secure ether and other crypto-assets built on Ethereum, as well as deploy and use smart contracts. This blog will look at how the two can work seamlessly together.


Cesar Rodriguez' collection of security and best practice test for static code analysis of terraform templates

Apigee Terraform Provider

Adam McNeely's plugin allows Terraform deployments and management of Apigee API proxies, deployments, products, companies, developers, apps, and target servers.

Vault Ethereum Plugin

A plugin that turns Vault into an Ethereum wallet.

Vault Bitcoin Plugin

A plugin that turns Vault into a Bitcoin wallet.

Vault Trustee Plugin

A Vault plugin that solves for trust in a decentralized way.

Authenticate to Vault with a JWT

A Vault plugin that can perform password grants, refresh toke or access token grants.

Thoughts on Governance

Effective governance requires feedback: listen, respond and let go.

Meet The Team

The League of Immutable Gentlepeople

Jeff Ploughman CEO/Engineer
Matt Callens CTO/Engineer
Chad Kellerman Contributor
Juan Martinez Contributor
Cesar Rodriguez Contributor
Scott Hall Consigliere
Dale Shin Contributor
Sean Gahagan Contributor
Taylor Becker Contributor
Dan Kim Contributor
Jeremy Peggins Contributor
Sunil Sharda Contributor
Patrick Quest Contributor
Yakov Shafranovich Contributor
Travis Grammer Contributor

Please Reach Out

We would love to hear from you