diff --git a/apps/api/src/pkg/cache/index.ts b/apps/api/src/pkg/cache/index.ts
index cc000ba56..515c06ee7 100644
--- a/apps/api/src/pkg/cache/index.ts
+++ b/apps/api/src/pkg/cache/index.ts
@@ -71,6 +71,7 @@ export function initCache(c: Context<HonoEnv>, metrics: Metrics): C<CacheNamespa
       c.executionCtx,
       defaultOpts,
     ),
+    encryptedMeta: new Namespace<CacheNamespaces["encryptedMeta"]>(c.executionCtx, defaultOpts),
   });
 }
 
diff --git a/apps/api/src/pkg/cache/namespaces.ts b/apps/api/src/pkg/cache/namespaces.ts
index dd750aa25..b5fe0713b 100644
--- a/apps/api/src/pkg/cache/namespaces.ts
+++ b/apps/api/src/pkg/cache/namespaces.ts
@@ -64,6 +64,7 @@ export type CacheNamespaces = {
     total: number;
   };
   identityByExternalId: Identity | null;
+  encryptedMeta: string | null;
 };
 
 export type CacheNamespace = keyof CacheNamespaces;
diff --git a/apps/api/src/routes/v1_keys_createKey.ts b/apps/api/src/routes/v1_keys_createKey.ts
index 006feb7ca..5acaee614 100644
--- a/apps/api/src/routes/v1_keys_createKey.ts
+++ b/apps/api/src/routes/v1_keys_createKey.ts
@@ -74,6 +74,17 @@ When validating a key, we will return this back to you, so you can clearly ident
                   trialEnds: "2023-06-16T17:16:37.161Z",
                 },
               }),
+            encryptedMeta: z
+              .record(z.unknown())
+              .optional()
+              .openapi({
+                description:
+                  "This is a place for encrypted meta data, anything that feels useful for you should go here",
+                example: {
+                  billingTier: "PRO",
+                  trialEnds: "2023-06-16T17:16:37.161Z",
+                },
+              }),
             roles: z
               .array(z.string().min(1).max(512))
               .optional()
@@ -336,6 +347,56 @@ export const registerV1KeysCreateKey = (app: App) =>
         byteLength: req.byteLength ?? 16,
         prefix: req.prefix,
       }).toString();
+      let metaSecret = req.encryptedMeta ? JSON.stringify(req.encryptedMeta) : null;
+
+      if (metaSecret) {
+        const perm = rbac.evaluatePermissions(
+          buildUnkeyQuery(({ or }) => or("*", "api.*.encrypt_meta", `api.${api.id}.encrypt_meta`)),
+          auth.permissions,
+        );
+
+        if (perm.err) {
+          throw new UnkeyApiError({
+            code: "INTERNAL_SERVER_ERROR",
+            message: `unable to evaluate permissions: ${perm.err.message}`,
+          });
+        }
+
+        if (!perm.val.valid) {
+          throw new UnkeyApiError({
+            code: "INSUFFICIENT_PERMISSIONS",
+            message: `insufficient permissions to encrypt metadata: ${perm.val.message}`,
+          });
+        }
+
+        if (metaSecret) {
+          const encryptedMeta = await retry(
+            3,
+            async () => {
+              return await vault.encrypt(c, {
+                keyring: authorizedWorkspaceId,
+                data: metaSecret as string,
+              });
+            },
+            (attempt, err) =>
+              logger.warn("vault.encrypt failed", {
+                attempt,
+                err: err.message,
+              }),
+          );
+
+          metaSecret = encryptedMeta.encrypted;
+          await db.primary.insert(schema.secrets).values({
+            id: newId("secret"),
+            workspaceId: authorizedWorkspaceId,
+            encrypted: encryptedMeta.encrypted,
+            // Using newId here because the id returned by the vault i.e. encryptionKeyId is a data agnostic id.
+            // So its going to give errors if we the encrypted Metadata is not unique.
+            encryptionKeyId: newId("enryptedMeta"),
+          });
+        }
+      }
+
       const start = secret.slice(0, (req.prefix?.length ?? 0) + 5);
       const kId = newId("key");
       const hash = await sha256(secret.toString());
@@ -347,6 +408,7 @@ export const registerV1KeysCreateKey = (app: App) =>
         start,
         ownerId: externalId,
         meta: req.meta ? JSON.stringify(req.meta) : null,
+        encryptedMeta: metaSecret ? metaSecret : null,
         workspaceId: authorizedWorkspaceId,
         forWorkspaceId: null,
         expires: req.expires ? new Date(req.expires) : null,
diff --git a/apps/api/src/routes/v1_keys_verifyKey.test.ts b/apps/api/src/routes/v1_keys_verifyKey.test.ts
index d97e9d195..74982206a 100644
--- a/apps/api/src/routes/v1_keys_verifyKey.test.ts
+++ b/apps/api/src/routes/v1_keys_verifyKey.test.ts
@@ -132,6 +132,7 @@ describe("with temporary key", () => {
         expires: now,
         environment: "prod",
         meta: JSON.stringify({ hello: "world" }),
+        encryptedMeta: JSON.stringify({ encrypted: "data" }),
       };
 
       await h.db.primary.insert(schema.keys).values(key);
@@ -163,6 +164,7 @@ describe("with temporary key", () => {
       expect(res.body.valid).toBe(false);
       expect(res.body.code).toBe("EXPIRED");
       expect(res.body.meta).toMatchObject({ hello: "world" });
+      expect(res.body.encryptedMeta).toMatchObject({ encrypted: "data" });
       expect(res.body.expires).toBe(key.expires.getTime());
       expect(res.body.environment).toBe(key.environment);
       expect(res.body.name).toBe(key.name);
@@ -189,6 +191,9 @@ describe("with metadata", () => {
         meta: JSON.stringify({
           disabledReason: "cause I can",
         }),
+        encryptedMeta: JSON.stringify({
+          disabledReason: "cause I can",
+        }),
         enabled: false,
       });
 
@@ -205,6 +210,7 @@ describe("with metadata", () => {
       expect(res.status, `expected 200, received: ${JSON.stringify(res, null, 2)}`).toBe(200);
       expect(res.body.valid).toBe(false);
       expect(res.body.meta).toMatchObject({ disabledReason: "cause I can" });
+      expect(res.body.encryptedMeta).toMatchObject({ disabledReason: "cause I can" });
     },
     { timeout: 20000 },
   );
@@ -266,6 +272,9 @@ describe("with identity", () => {
         meta: {
           hello: "world",
         },
+        encryptedMeta: {
+          encrypted: "data",
+        },
       };
       await h.db.primary.insert(schema.identities).values(identity);
 
diff --git a/apps/api/src/routes/v1_keys_verifyKey.ts b/apps/api/src/routes/v1_keys_verifyKey.ts
index 5cd232b3d..a438555f6 100644
--- a/apps/api/src/routes/v1_keys_verifyKey.ts
+++ b/apps/api/src/routes/v1_keys_verifyKey.ts
@@ -1,9 +1,11 @@
+import { rootKeyAuth } from "@/pkg/auth/root_key";
 import { UnkeyApiError, openApiErrorResponses } from "@/pkg/errors";
 import type { App } from "@/pkg/hono/app";
 import { DisabledWorkspaceError, MissingRatelimitError } from "@/pkg/keys/service";
+import { retry } from "@/pkg/util/retry";
 import { createRoute, z } from "@hono/zod-openapi";
 import { SchemaError } from "@unkey/error";
-import { permissionQuerySchema } from "@unkey/rbac";
+import { buildUnkeyQuery, permissionQuerySchema } from "@unkey/rbac";
 
 const route = createRoute({
   tags: ["keys"],
@@ -176,6 +178,17 @@ A key could be invalid for a number of reasons, for example if it has expired, h
                     stripeCustomerId: "cus_1234",
                   },
                 }),
+              encryptedMeta: z
+                .record(z.unknown())
+                .optional()
+                .openapi({
+                  description:
+                    "Encrypted metadata that might contain secrets that you want to store with the key",
+                  example: {
+                    roles: ["admin", "user"],
+                    stripeCustomerId: "cus_1234",
+                  },
+                }),
               expires: z.number().int().optional().openapi({
                 description:
                   "The unix timestamp in milliseconds when the key will expire. If this field is null or undefined, the key is not expiring.",
@@ -286,8 +299,7 @@ export type V1KeysVerifyKeyResponse = z.infer<
 export const registerV1KeysVerifyKey = (app: App) =>
   app.openapi(route, async (c) => {
     const req = c.req.valid("json");
-    const { keyService, analytics } = c.get("services");
-
+    const { keyService, analytics, vault, cache } = c.get("services");
     const { val, err } = await keyService.verifyKey(c, {
       key: req.key,
       apiId: req.apiId,
@@ -327,12 +339,45 @@ export const registerV1KeysVerifyKey = (app: App) =>
       });
     }
 
+    let metaSecret: string | undefined | null;
+    if (val.key.encryptedMeta) {
+      try {
+        await rootKeyAuth(
+          c,
+          buildUnkeyQuery(({ or }) =>
+            or("*", "api.*.decrypt_meta", `api.${val.api.id}.decrypt_meta`),
+          ),
+        );
+        const { val: vaultRes } = await cache.encryptedMeta.swr(
+          val.key.encryptedMeta!,
+          async () => {
+            const encryptedMeta =
+              typeof val.key.encryptedMeta === "string"
+                ? val.key.encryptedMeta
+                : JSON.stringify(val.key.encryptedMeta);
+
+            const decryptRes = await retry(3, () =>
+              vault.decrypt(c, {
+                keyring: val.key.workspaceId,
+                encrypted: encryptedMeta,
+              }),
+            );
+            return decryptRes.plaintext;
+          },
+        );
+        metaSecret = vaultRes;
+      } catch {
+        metaSecret = undefined;
+      }
+    }
+
     const responseBody = {
       keyId: val.key?.id,
       valid: val.valid,
       name: val.key?.name ?? undefined,
       ownerId: val.key?.ownerId ?? undefined,
       meta: val.key?.meta ? JSON.parse(val.key?.meta) : undefined,
+      encryptedMeta: metaSecret ? JSON.parse(metaSecret) : undefined,
       expires: val.key?.expires?.getTime(),
       remaining: val.remaining ?? undefined,
       ratelimit: val.ratelimit ?? undefined,
diff --git a/apps/api/src/routes/v1_migrations_createKey.ts b/apps/api/src/routes/v1_migrations_createKey.ts
index bd8a201f8..8af989d7f 100644
--- a/apps/api/src/routes/v1_migrations_createKey.ts
+++ b/apps/api/src/routes/v1_migrations_createKey.ts
@@ -85,6 +85,17 @@ When validating a key, we will return this back to you, so you can clearly ident
                       trialEnds: "2023-06-16T17:16:37.161Z",
                     },
                   }),
+                encryptedMeta: z
+                  .record(z.unknown())
+                  .optional()
+                  .openapi({
+                    description:
+                      "This is a place for dynamic encrypted meta data, anything that feels useful for you should go here",
+                    example: {
+                      billingTier: "PRO",
+                      trialEnds: "2023-06-16T17:16:37.161Z",
+                    },
+                  }),
                 roles: z
                   .array(z.string().min(1).max(512))
                   .optional()
@@ -402,6 +413,7 @@ export const registerV1MigrationsCreateKeys = (app: App) =>
           ownerId: key.ownerId ?? null,
           identityId: null,
           meta: key.meta ? JSON.stringify(key.meta) : null,
+          encryptedMeta: key.encryptedMeta ? JSON.stringify(key.encryptedMeta) : null,
           workspaceId: authorizedWorkspaceId,
           forWorkspaceId: null,
           expires: key.expires ? new Date(key.expires) : null,
diff --git a/apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/new/client.tsx b/apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/new/client.tsx
index 6e4af59ef..fe710d71e 100644
--- a/apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/new/client.tsx
+++ b/apps/dashboard/app/(app)/apis/[apiId]/keys/[keyAuthId]/new/client.tsx
@@ -78,6 +78,23 @@ const formSchema = z.object({
       },
     )
     .optional(),
+  encryptMetaEnabled: z.boolean().default(false),
+  encryptMeta: z
+    .string()
+    .refine(
+      (s) => {
+        try {
+          JSON.parse(s);
+          return true;
+        } catch {
+          return false;
+        }
+      },
+      {
+        message: "Must be valid json",
+      },
+    )
+    .optional(),
   limitEnabled: z.boolean().default(false),
   limit: z
     .object({
@@ -163,6 +180,7 @@ export const CreateKey: React.FC<Props> = ({ apiId, keyAuthId }) => {
       expireEnabled: false,
       limitEnabled: false,
       metaEnabled: false,
+      encryptMetaEnabled: false,
       ratelimitEnabled: false,
     },
   });
@@ -189,6 +207,9 @@ export const CreateKey: React.FC<Props> = ({ apiId, keyAuthId }) => {
     if (!values.metaEnabled) {
       delete values.meta;
     }
+    if (!values.encryptMetaEnabled) {
+      delete values.encryptMeta;
+    }
     if (!values.limitEnabled) {
       delete values.limit;
     }
@@ -200,6 +221,7 @@ export const CreateKey: React.FC<Props> = ({ apiId, keyAuthId }) => {
       keyAuthId,
       ...values,
       meta: values.meta ? JSON.parse(values.meta) : undefined,
+      encryptedMeta: values.encryptMeta ? JSON.parse(values.encryptMeta) : undefined,
       expires: values.expires?.getTime() ?? undefined,
       ownerId: values.ownerId ?? undefined,
       remaining: values.limit?.remaining ?? undefined,
@@ -292,6 +314,7 @@ export const CreateKey: React.FC<Props> = ({ apiId, keyAuthId }) => {
                 form.setValue("expireEnabled", false);
                 form.setValue("ratelimitEnabled", false);
                 form.setValue("metaEnabled", false);
+                form.setValue("encryptMetaEnabled", false);
                 form.setValue("limitEnabled", false);
                 router.refresh();
               }}
@@ -806,7 +829,100 @@ export const CreateKey: React.FC<Props> = ({ apiId, keyAuthId }) => {
                         ) : null}
                       </CardContent>
                     </Card>
+                    <Card>
+                      <CardContent className="justify-between w-full p-4 item-center">
+                        <div className="flex items-center justify-between w-full">
+                          <span>Encrypted Metadata</span>
+
+                          <FormField
+                            control={form.control}
+                            name="encryptMetaEnabled"
+                            render={({ field }) => (
+                              <FormItem>
+                                <FormLabel className="sr-only">Metadata</FormLabel>
+                                <FormControl>
+                                  <Switch
+                                    onCheckedChange={(e) => {
+                                      field.onChange(e);
+                                      if (field.value === false) {
+                                        resetLimited();
+                                      }
+                                    }}
+                                  />
+                                </FormControl>
+                              </FormItem>
+                            )}
+                          />
+                        </div>
+
+                        {form.watch("encryptMetaEnabled") ? (
+                          <>
+                            <p className="text-xs text-content-subtle">
+                              Encrypt sensitive data before associating it with this key to store it
+                              securely. Whenever you verify this key with the decrypt metadata
+                              permissions, the encrypted metadata will be returned to you securely,
+                              ensuring confidentiality. Enter custom encrypted metadata as a JSON
+                              object.
+                            </p>
 
+                            <div className="flex flex-col gap-4 mt-4">
+                              <FormField
+                                control={form.control}
+                                name="encryptMeta"
+                                render={({ field }) => (
+                                  <FormItem>
+                                    <FormControl>
+                                      <Textarea
+                                        disabled={!form.watch("encryptMetaEnabled")}
+                                        className="m-4 mx-auto border rounded-md shadow-sm"
+                                        rows={7}
+                                        placeholder={`{"STRIPE_API_KEY" : "sk_test123"}`}
+                                        {...field}
+                                        value={
+                                          form.getValues("encryptMetaEnabled")
+                                            ? field.value
+                                            : undefined
+                                        }
+                                      />
+                                    </FormControl>
+                                    <FormDescription>
+                                      Enter custom metadata as a JSON object.
+                                    </FormDescription>
+                                    <FormMessage />
+                                    <Button
+                                      variant="secondary"
+                                      type="button"
+                                      onClick={(_e) => {
+                                        try {
+                                          if (field.value) {
+                                            const parsed = JSON.parse(field.value);
+                                            field.onChange(JSON.stringify(parsed, null, 2));
+                                            form.clearErrors("encryptMeta");
+                                          }
+                                        } catch (_e) {
+                                          form.setError("encryptMeta", {
+                                            type: "manual",
+                                            message: "Invalid JSON",
+                                          });
+                                        }
+                                      }}
+                                      value={field.value}
+                                    >
+                                      Format Json
+                                    </Button>
+                                  </FormItem>
+                                )}
+                              />
+                            </div>
+                            {form.formState.errors.ratelimit && (
+                              <p className="text-xs text-center text-content-alert">
+                                {form.formState.errors.ratelimit.message}
+                              </p>
+                            )}
+                          </>
+                        ) : null}
+                      </CardContent>
+                    </Card>
                     <div className="w-full">
                       <Button
                         className="w-full"
diff --git a/apps/dashboard/app/(app)/secrets/secrets.tsx b/apps/dashboard/app/(app)/secrets/secrets.tsx
index 8aeac725f..51798e158 100644
--- a/apps/dashboard/app/(app)/secrets/secrets.tsx
+++ b/apps/dashboard/app/(app)/secrets/secrets.tsx
@@ -72,8 +72,8 @@ const Row: React.FC<{ secret: Secret }> = ({ secret }) => {
     mode: "all",
     shouldFocusError: true,
     defaultValues: {
-      name: secret.name,
-      comment: secret.comment ?? "",
+      // name: secret.name,
+      // comment: secret.comment ?? "",
     },
   });
 
@@ -118,7 +118,7 @@ const Row: React.FC<{ secret: Secret }> = ({ secret }) => {
     >
       <div className="grid items-center grid-cols-12 ">
         <div className="flex flex-col items-start col-span-5">
-          <span className="text-sm text-content">{secret.name}</span>
+          <span className="text-sm text-content">{/* {secret.name} */}</span>
           <pre className="text-xs text-content-subtle">{secret.id}</pre>
         </div>
 
diff --git a/apps/dashboard/app/(app)/settings/root-keys/[keyId]/permissions/permissions.ts b/apps/dashboard/app/(app)/settings/root-keys/[keyId]/permissions/permissions.ts
index 7f0e049bd..496b1d687 100644
--- a/apps/dashboard/app/(app)/settings/root-keys/[keyId]/permissions/permissions.ts
+++ b/apps/dashboard/app/(app)/settings/root-keys/[keyId]/permissions/permissions.ts
@@ -51,6 +51,14 @@ export const workspacePermissions = {
       description: "Decrypt keys in this workspace",
       permission: "api.*.decrypt_key",
     },
+    encrypt_meta: {
+      description: "Encrypt metadata associated with the keys in this workspace",
+      permission: "api.*.encrypt_meta",
+    },
+    decrypt_meta: {
+      description: "Decrypt metadata associated with the keys in this workspace",
+      permission: "api.*.decrypt_meta",
+    },
   },
   Ratelimit: {
     create_namespace: {
@@ -178,6 +186,14 @@ export function apiPermissions(apiId: string): { [category: string]: UnkeyPermis
         description: "Decrypt keys belonging to this API",
         permission: `api.${apiId}.decrypt_key`,
       },
+      encrypt_meta: {
+        description: "Encrypt metadata associated with the keys of this API",
+        permission: `api.${apiId}.encrypt_meta`,
+      },
+      decrypt_meta: {
+        description: "Decrypt metadata associated with the keys of this API",
+        permission: `api.${apiId}.decrypt_meta`,
+      },
     },
   };
 }
diff --git a/apps/dashboard/lib/trpc/routers/key/create.ts b/apps/dashboard/lib/trpc/routers/key/create.ts
index fd1b4b0be..c5d3c84cb 100644
--- a/apps/dashboard/lib/trpc/routers/key/create.ts
+++ b/apps/dashboard/lib/trpc/routers/key/create.ts
@@ -1,8 +1,10 @@
 import { db, schema } from "@/lib/db";
+import { env } from "@/lib/env";
 import { ingestAuditLogs } from "@/lib/tinybird";
 import { TRPCError } from "@trpc/server";
 import { newId } from "@unkey/id";
 import { newKey } from "@unkey/keys";
+import { type EncryptRequest, type RequestContext, Vault } from "@unkey/vault";
 import { z } from "zod";
 import { auth, t } from "../../trpc";
 
@@ -15,6 +17,7 @@ export const createKey = t.procedure
       keyAuthId: z.string(),
       ownerId: z.string().nullish(),
       meta: z.record(z.unknown()).optional(),
+      encryptedMeta: z.record(z.unknown()).optional(),
       remaining: z.number().int().positive().optional(),
       refill: z
         .object({
@@ -61,13 +64,42 @@ export const createKey = t.procedure
           "We are unable to find the correct keyAuth. Please contact support using support@unkey.dev",
       });
     }
-
     const keyId = newId("key");
     const { key, hash, start } = await newKey({
       prefix: input.prefix,
       byteLength: input.bytes,
     });
+    const vault = new Vault(env().AGENT_URL, env().AGENT_TOKEN);
 
+    let metaSecret: string | undefined | null;
+    if (input.encryptedMeta) {
+      const encryptReq: EncryptRequest = {
+        keyring: workspace.id,
+        data: JSON.stringify(input.encryptedMeta),
+      };
+      const requestId = crypto.randomUUID();
+      const context: RequestContext = { requestId };
+      const encryptRes = await vault.encrypt(context, encryptReq);
+      metaSecret = encryptRes.encrypted;
+      await db
+        .insert(schema.secrets)
+        .values({
+          id: newId("secret"),
+          workspaceId: workspace.id,
+          encrypted: encryptRes.encrypted,
+          // Using newId here because the id returned by the vault i.e. encryptionKeyId is a data agnostic id.
+          // So its going to give errors if we the encrypted Metadata is not unique.
+          encryptionKeyId: newId("enryptedMeta"),
+        })
+        .catch((_err) => {
+          console.error(_err);
+          throw new TRPCError({
+            code: "INTERNAL_SERVER_ERROR",
+            message:
+              "We are unable to store the Encrypted Metadata. Please contact support using support@unkey.dev",
+          });
+        });
+    }
     await db
       .insert(schema.keys)
       .values({
@@ -78,6 +110,7 @@ export const createKey = t.procedure
         start,
         ownerId: input.ownerId,
         meta: JSON.stringify(input.meta ?? {}),
+        encryptedMeta: metaSecret,
         workspaceId: workspace.id,
         forWorkspaceId: null,
         expires: input.expires ? new Date(input.expires) : null,
@@ -97,7 +130,7 @@ export const createKey = t.procedure
         throw new TRPCError({
           code: "INTERNAL_SERVER_ERROR",
           message:
-            "We are unable to create the key. Please contact support using support.unkey.dev",
+            "We are unable to create the key. Please contact support using support@unkey.dev",
         });
       });
 
diff --git a/apps/dashboard/lib/trpc/routers/secrets/update.ts b/apps/dashboard/lib/trpc/routers/secrets/update.ts
index d0bf065a6..55f76ea3f 100644
--- a/apps/dashboard/lib/trpc/routers/secrets/update.ts
+++ b/apps/dashboard/lib/trpc/routers/secrets/update.ts
@@ -42,9 +42,9 @@ export const updateSecret = t.procedure
     }
 
     const update: Partial<Secret> = {};
-    if (typeof input.name !== "undefined") {
-      update.name = input.name;
-    }
+    // if (typeof input.name !== "undefined") {
+    //   update.name = input.name;
+    // }
 
     if (typeof input.value !== "undefined") {
       // const vault = connectVault();
@@ -56,25 +56,25 @@ export const updateSecret = t.procedure
       // update.encryptionKeyId = encrypted.keyId;
     }
 
-    if (typeof input.comment !== "undefined") {
-      update.comment = input.comment;
-    }
+    // if (typeof input.comment !== "undefined") {
+    //   update.comment = input.comment;
+    // }
 
     if (Object.keys(update).length === 0) {
       throw new TRPCError({ code: "PRECONDITION_FAILED", message: "No change detected" });
     }
 
-    await db
-      .update(schema.secrets)
-      .set(update)
-      .where(eq(schema.secrets.id, secret.id))
-      .catch((_err) => {
-        throw new TRPCError({
-          code: "INTERNAL_SERVER_ERROR",
-          message:
-            "We are unable to update the secret. Please contact support using support@unkey.dev.",
-        });
-      });
+    // await db
+    //   .update(schema.secrets)
+    //   .set(update)
+    //   .where(eq(schema.secrets.id, secret.id))
+    //   .catch((_err) => {
+    //     throw new TRPCError({
+    //       code: "INTERNAL_SERVER_ERROR",
+    //       message:
+    //         "We are unable to update the secret. Please contact support using support@unkey.dev.",
+    //     });
+    //   });
     await ingestAuditLogs({
       workspaceId: ws.id,
       actor: {
diff --git a/apps/dashboard/package.json b/apps/dashboard/package.json
index cad9be83f..954d8db89 100644
--- a/apps/dashboard/package.json
+++ b/apps/dashboard/package.json
@@ -53,6 +53,7 @@
     "@unkey/rbac": "workspace:^",
     "@unkey/resend": "workspace:^",
     "@unkey/schema": "workspace:^",
+    "@unkey/vault": "workspace:^",
     "@unkey/vercel": "workspace:^",
     "@upstash/ratelimit": "^2.0.1",
     "@upstash/redis": "^1.31.3",
diff --git a/internal/db/src/schema/keys.ts b/internal/db/src/schema/keys.ts
index 5eeb701f6..f0709f861 100644
--- a/internal/db/src/schema/keys.ts
+++ b/internal/db/src/schema/keys.ts
@@ -48,6 +48,7 @@ export const keys = mysqlTable(
     ownerId: varchar("owner_id", { length: 256 }),
     identityId: varchar("identity_id", { length: 256 }),
     meta: text("meta"),
+    encryptedMeta: text("encryptedMeta"),
     createdAt: datetime("created_at", { fsp: 3 }).notNull(), // unix milli
     expires: datetime("expires", { fsp: 3 }), // unix milli,
     ...lifecycleDatesMigration,
diff --git a/internal/db/src/schema/secrets.ts b/internal/db/src/schema/secrets.ts
index ba407ebc1..429979316 100644
--- a/internal/db/src/schema/secrets.ts
+++ b/internal/db/src/schema/secrets.ts
@@ -1,28 +1,15 @@
 import { relations } from "drizzle-orm";
-import { mysqlTable, uniqueIndex, varchar } from "drizzle-orm/mysql-core";
+import { mysqlTable, varchar } from "drizzle-orm/mysql-core";
 import { embeddedEncrypted } from "./util/embedded_encrypted";
-import { lifecycleDates } from "./util/lifecycle_dates";
 import { workspaces } from "./workspaces";
 
-export const secrets = mysqlTable(
-  "secrets",
-  {
-    id: varchar("id", { length: 256 }).primaryKey(),
-    name: varchar("name", { length: 256 }).notNull(),
-    workspaceId: varchar("workspace_id", { length: 256 })
-      .notNull()
-      .references(() => workspaces.id, { onDelete: "cascade" }),
-    ...embeddedEncrypted,
-    ...lifecycleDates,
-    comment: varchar("comment", { length: 256 }),
-  },
-  (table) => ({
-    uniqueNamePerWorkspace: uniqueIndex("unique_workspace_id_name_idx").on(
-      table.workspaceId,
-      table.name,
-    ),
-  }),
-);
+export const secrets = mysqlTable("secrets", {
+  id: varchar("id", { length: 256 }).primaryKey(),
+  workspaceId: varchar("workspace_id", { length: 256 })
+    .notNull()
+    .references(() => workspaces.id, { onDelete: "cascade" }),
+  ...embeddedEncrypted,
+});
 
 export const secretsRelations = relations(secrets, ({ one }) => ({
   workspace: one(workspaces, {
diff --git a/internal/id/src/generate.ts b/internal/id/src/generate.ts
index c79764b44..411106331 100644
--- a/internal/id/src/generate.ts
+++ b/internal/id/src/generate.ts
@@ -9,6 +9,7 @@ const prefixes = {
   request: "req",
   workspace: "ws",
   keyAuth: "ks", // keyspace
+  enryptedMeta: "encryptedMmeta",
   vercelBinding: "vb",
   role: "role",
   test: "test", // for tests only
diff --git a/internal/vault/package.json b/internal/vault/package.json
new file mode 100644
index 000000000..6ae38d585
--- /dev/null
+++ b/internal/vault/package.json
@@ -0,0 +1,15 @@
+{
+  "name": "@unkey/vault",
+  "version": "1.0.0",
+  "description": "",
+  "main": "src/index.ts",
+  "types": "src/index.ts",
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "devDependencies": {
+    "@types/node": "^20.14.9",
+    "@unkey/tsconfig": "workspace:*",
+    "typescript": "^5.5.3"
+  }
+}
diff --git a/internal/vault/src/index.ts b/internal/vault/src/index.ts
new file mode 100644
index 000000000..e93b2f0d5
--- /dev/null
+++ b/internal/vault/src/index.ts
@@ -0,0 +1,101 @@
+export type EncryptRequest = {
+  keyring: string;
+  data: string;
+};
+
+export type EncryptResponse = {
+  encrypted: string;
+  keyId: string;
+};
+
+export type EncryptBulkRequest = {
+  keyring: string;
+  data: string[];
+};
+
+export type EncryptBulkResponse = {
+  encrypted: EncryptResponse[];
+};
+
+export type DecryptRequest = {
+  keyring: string;
+  encrypted: string;
+};
+
+export type DecryptResponse = {
+  plaintext: string;
+};
+
+export type RequestContext = {
+  requestId: string;
+};
+
+export class Vault {
+  private readonly baseUrl: string;
+  private readonly token: string;
+
+  constructor(baseUrl: string, token: string) {
+    this.baseUrl = baseUrl;
+    this.token = token;
+  }
+
+  public async encrypt(c: RequestContext, req: EncryptRequest): Promise<EncryptResponse> {
+    const url = `${this.baseUrl}/vault.v1.VaultService/Encrypt`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.token}`,
+        "Unkey-Request-Id": c.requestId,
+      },
+      body: JSON.stringify(req),
+    });
+
+    if (!res.ok) {
+      throw new Error(`Unable to encrypt, fetch error: ${await res.text()}`);
+    }
+
+    return res.json();
+  }
+
+  public async encryptBulk(
+    c: RequestContext,
+    req: EncryptBulkRequest,
+  ): Promise<EncryptBulkResponse> {
+    const url = `${this.baseUrl}/vault.v1.VaultService/EncryptBulk`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.token}`,
+        "Unkey-Request-Id": c.requestId,
+      },
+      body: JSON.stringify(req),
+    });
+
+    if (!res.ok) {
+      throw new Error(`Unable to encryptBulk, fetch error: ${await res.text()}`);
+    }
+
+    return res.json();
+  }
+
+  public async decrypt(c: RequestContext, req: DecryptRequest): Promise<DecryptResponse> {
+    const url = `${this.baseUrl}/vault.v1.VaultService/Decrypt`;
+    const res = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${this.token}`,
+        "Unkey-Request-Id": c.requestId,
+      },
+      body: JSON.stringify(req),
+    });
+
+    if (!res.ok) {
+      throw new Error(`Unable to decrypt, fetch error: ${await res.text()}`);
+    }
+
+    return res.json();
+  }
+}
diff --git a/packages/rbac/src/permissions.ts b/packages/rbac/src/permissions.ts
index 0f7e9b7f0..dbe1f4b0b 100644
--- a/packages/rbac/src/permissions.ts
+++ b/packages/rbac/src/permissions.ts
@@ -38,6 +38,8 @@ export const apiActions = z.enum([
   "encrypt_key",
   "decrypt_key",
   "read_key",
+  "encrypt_meta",
+  "decrypt_meta",
 ]);
 
 export const ratelimitActions = z.enum([