GoKawiilkeeper
Keeper is a cryptographic secret store for Go. It encrypts arbitrary byte payloads at rest using Argon2id key derivation and XChaCha20-Poly1305 (default) authenticated encryption, and stores them in an embedded bbolt database.
It ships as three things you can use independently:
A Go library — embed a hardened secret store directly in your process, with four security levels, per-bucket DEK isolation, and a tamper-evident audit chain.
— embed a hardened secret store directly in your process, with four security levels, per-bucket DEK isolation, and a tamper-evident audit chain. An HTTP handler ( x/keephandler ) — mount keeper endpoints on any net/http mux in one call, with pluggable hooks, guards, and response encoders for access control and audit logging.
( ) — mount keeper endpoints on any mux in one call, with pluggable hooks, guards, and response encoders for access control and audit logging. A CLI ( cmd/keeper ) — a terminal interface with a persistent REPL session, no-echo secret entry, and zero shell-history exposure.
Keeper was designed as the foundational secret management layer for the Agbero load balancer but has no dependency on Agbero and works in any Go project.
Contents
Security model
Keeper partitions secrets into buckets. Every bucket has an immutable BucketSecurityPolicy that governs how its Data Encryption Key (DEK) is protected. Four levels are available.
... continue reading