| ▲ | Show HN: Keeper – embedded secret store for Go (help me break it)(github.com) | ||||||||||||||||||||||
| 30 points by babawere 3 hours ago | 18 comments | |||||||||||||||||||||||
Keeper is an embeddable secret store (Argon2id, XChaCha20-Poly1305 by default). Four security levels, audit chains, crash-safe rotation. Vault is overkill for most use cases. This is for when you ge paranoid about env and need encrypted local storage that doesn't suck. No security through obscurity, hence, It's still early, so now's the best time to find weird edge cases, race conditions, memory leaks, crypto misuse, anything that breaks. The README has a full security model breakdown if you want to get adversarial. | |||||||||||||||||||||||
| ▲ | Retr0id 43 minutes ago | parent | next [-] | ||||||||||||||||||||||
Mmmm vibecrypto, my favourite. I don't see anything obviously broken (at a glance) but as a perf improvement, there's little reason to use Argon2id for the "verification hash" step, might as well use sha256 there. There is also no need to use ConstantTimeCompare because the value being compared against is not secret, although it doesn't hurt. The "Crash-safe rotation WAL" feature sounds sketchy and it's what I'd audit closely, if I was auditing closely. | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | modelorona an hour ago | parent | prev | next [-] | ||||||||||||||||||||||
Name could conflict with Keeper Security | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | RALaBarge 41 minutes ago | parent | prev | next [-] | ||||||||||||||||||||||
Hey I ran this request through my AI harness (beigeboxoss.com), first with a smaller local model and then validated with Trinity Large via OR. https://github.com/agberohq/keeper/issues/2 -- YMMV but wanted something to do with my coffee, thanks! | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | emanuele-em 44 minutes ago | parent | prev | next [-] | ||||||||||||||||||||||
Per-bucket DEKs with HKDF, hashed policy keys to kill enumeration, HMAC audit chain. This is the kind of boring-correct crypto design I rarely see in Go libraries. memguard for the master key is a nice touch too. | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | n0n an hour ago | parent | prev | next [-] | ||||||||||||||||||||||
Genuine question: what's your thread model? Vault gives time limited Tokens with Network Boundary. Instead of Keeper, i would just use age: # write echo "my secret" | age -r <recipient-pubkey> > secret.age # read age -d -i key.txt secret.age | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | elthor89 2 hours ago | parent | prev | next [-] | ||||||||||||||||||||||
I have been looking for something like this. I know openbao, hashicorp vault. But they require to be placed on a separate server, and come with their own infra management. Is the idea of this project to embed this into you app, instead of relying on .env or an external vault? | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | tietjens an hour ago | parent | prev | next [-] | ||||||||||||||||||||||
Could I use this to store secrets to hide env vars from agents? | |||||||||||||||||||||||
| |||||||||||||||||||||||
| ▲ | nonameiguess an hour ago | parent | prev [-] | ||||||||||||||||||||||
Keeper is already the name of a popular enterprise secrets store: https://docs.keeper.io/en/user-guides/web-vault I haven't used it, don't advocate for it, and have no opinion on either its viability or your product's viability for any specific use case. Mostly I just think it's a bit confusing to have two separate products in a very similar space with the same name. | |||||||||||||||||||||||
| |||||||||||||||||||||||