HN Showcase
Back to browse
GitHub Repository

Simple Secure Keeper for Secrets

122 starsGo

Keeper – embedded secret store for Go (help me break it)

by babawere·Apr 10, 2026·64 points·33 comments
Visit ProjectView on HN

AI Analysis

●●SolidSolve My ProblemBig Brain

Embedded secret store for Go apps using bbolt when Vault is overkill.

Strengths
  • Argon2id and XChaCha20-Poly1305 choices show serious crypto consideration beyond standard defaults.
  • Four security levels allow mixing clearance types within the same database instance.
  • Audit chain implementation provides tamper-evidence without requiring external logging infrastructure.
Weaknesses
  • Embedded secret storage remains an anti-pattern if the host machine gets compromised.
  • bbolt limits concurrent write access significantly compared to client-server databases.
Category
Security
Target Audience

Go developers needing local secret storage without external Vault infrastructure.

Similar To

HashiCorp Vault · AWS Secrets Manager · Doppler

Post Description

Keeper is an embeddable secret store (Argon2id, XChaCha20-Poly1305 by default). Four security levels, audit chains, crash-safe rotation. Vault is overkill for most use cases. This is for when you ge paranoid about env and need encrypted local storage that doesn't suck. No security through obscurity, hence, It's still early, so now's the best time to find weird edge cases, race conditions, memory leaks, crypto misuse, anything that breaks. The README has a full security model breakdown if you want to get adversarial.

Similar Projects

Developer Tools●●●Banger

enveil – hide your .env secrets from prAIng eyes

Stops AI tools from reading .env files by never storing secrets as plaintext on disk.

Solve My ProblemNiche GemShip It
parkaboy
2011313mo ago
Security●●Solid

AxKeyStore – Zero-trust CLI secrets manager using your own GitHub repo

GitHub-as-untrusted-storage with XChaCha20 is clever, but 1Password and Vault already own secrets.

Niche GemShip It
robin_a_p
213mo ago