A lightweight secrets manager with envelope encryption, transit encryption, API auth, and audit logs.
Secrets is inspired by HashiCorp Vault ❤️, but it is intentionally much simpler and was not designed to compete with Vault.
Warning
While in versions v0.x.y, this project is not yet recommended for production deployment and the API is not yet stable and is subject to many changes. It will only be recommended for production when it reaches version v1.0.0.
- Authentication & Authorization: Token-based auth with Argon2id password hashing and capability-based path-matching policies.
- KMS Integration: Native support for Google Cloud KMS, AWS KMS, Azure Key Vault, and HashiCorp Vault.
- Dual Database Support: Compatible with PostgreSQL 12+ and MySQL 8.0+ out of the box.
- Observability: OpenTelemetry metrics with Prometheus-compatible endpoints.
Provides versioned, encrypted storage for your application secrets using envelope encryption. Keep passwords and API keys secure at rest.
Offers Encryption as a Service (EaaS). Encrypt and decrypt data on the fly without storing the payload in the Secrets database.
Format-preserving token generation for sensitive values (e.g., credit cards) with deterministic options and lifecycle management.
Tamper-resistant cryptographic audit logs capture capability checks and access attempts for monitoring and compliance.
Choose your preferred deployment method to get started:
- 🐳 Run with Docker image (recommended): Docker Guide
- 💻 Run locally for development: Local Development Guide
- 📦 Run with pre-compiled binary: Binary Guide
See our detailed guides in the docs/ directory:
MIT. See LICENSE.