secrets

module

v0.23.0 Latest Latest Go to latest Published: Mar 3, 2026 License: MIT

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/allisson/secrets

Links

Open Source Insights

README ¶

🔐 Secrets

A lightweight secrets manager with envelope encryption, transit encryption, API auth, and audit logs.

Secrets is inspired by HashiCorp Vault ❤️, but it is intentionally much simpler and was not designed to compete with Vault.

[!WARNING] While in versions v0.x.y, this project is not yet recommended for production deployment and the API is not yet stable and is subject to many changes. It will only be recommended for production when it reaches version v1.0.0.

✨ Features

Authentication & Authorization: Token-based auth with Argon2id password hashing and capability-based path-matching policies.
KMS Integration: Native support for Google Cloud KMS, AWS KMS, Azure Key Vault, and HashiCorp Vault.
Dual Database Support: Compatible with PostgreSQL 12+ and MySQL 8.0+ out of the box.
Observability: OpenTelemetry metrics with Prometheus-compatible endpoints.

📦 Main Engines

Secret Engine

Provides versioned, encrypted storage for your application secrets using envelope encryption. Keep passwords and API keys secure at rest.

Transit Engine

Offers Encryption as a Service (EaaS). Encrypt and decrypt data on the fly without storing the payload in the Secrets database.

Tokenization Engine

Format-preserving token generation for sensitive values (e.g., credit cards) with deterministic options and lifecycle management.

Audit Logs

Tamper-resistant cryptographic audit logs capture capability checks and access attempts for monitoring and compliance.

🚀 Quick Start

Choose your preferred deployment method to get started:

🐳 Run with Docker image (recommended): Docker Guide
💻 Run locally for development: Local Development Guide
📦 Run with pre-compiled binary: Binary Guide

📚 Documentation

See our detailed guides in the docs/ directory:

📄 License

MIT. See LICENSE.

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd
app command Package main provides the CLI command definitions for the application.	Package main provides the CLI command definitions for the application.
app/commands Package commands contains CLI command implementations for the application.	Package commands contains CLI command implementations for the application.
internal
app Package app provides dependency injection container for assembling application components.	Package app provides dependency injection container for assembling application components.
auth/domain Package domain defines authentication and authorization domain models and business logic.	Package domain defines authentication and authorization domain models and business logic.
auth/http Package http provides HTTP handlers for authentication and client management operations.	Package http provides HTTP handlers for authentication and client management operations.
auth/http/dto Package dto provides data transfer objects for HTTP request and response handling.	Package dto provides data transfer objects for HTTP request and response handling.
auth/http/mocks Package mocks provides mock implementations for testing HTTP handlers.	Package mocks provides mock implementations for testing HTTP handlers.
auth/repository/mysql
auth/repository/postgresql Package repository implements data persistence for authentication and authorization entities.	Package repository implements data persistence for authentication and authorization entities.
auth/service Package service provides technical services for authentication operations.	Package service provides technical services for authentication operations.
auth/service/mocks
auth/usecase Package usecase implements business logic orchestration for authentication operations.	Package usecase implements business logic orchestration for authentication operations.
auth/usecase/mocks
config Package config provides application configuration through environment variables.	Package config provides application configuration through environment variables.
crypto/domain Package domain defines core cryptographic domain models for envelope encryption.	Package domain defines core cryptographic domain models for envelope encryption.
crypto/repository/mysql
crypto/repository/postgresql Package repository implements data persistence for KEKs and DEKs.	Package repository implements data persistence for KEKs and DEKs.
crypto/service Package service provides cryptographic services for AEAD cipher management and key operations.	Package service provides cryptographic services for AEAD cipher management and key operations.
crypto/service/mocks
crypto/usecase Package usecase defines business logic interfaces for KEK operations and repository contracts.	Package usecase defines business logic interfaces for KEK operations and repository contracts.
crypto/usecase/mocks
database Package database provides database connection management and utilities.	Package database provides database connection management and utilities.
database/mocks
errors Package errors provides standardized domain errors for business logic.	Package errors provides standardized domain errors for business logic.
http Package http provides HTTP server implementation and request handlers.	Package http provides HTTP server implementation and request handlers.
httputil Package httputil provides HTTP utility functions for request and response handling.	Package httputil provides HTTP utility functions for request and response handling.
metrics Package metrics provides OpenTelemetry metrics instrumentation with Prometheus export.	Package metrics provides OpenTelemetry metrics instrumentation with Prometheus export.
secrets/domain Package domain defines core domain models and errors for secrets.	Package domain defines core domain models and errors for secrets.
secrets/http Package http provides HTTP handlers for secret management operations.	Package http provides HTTP handlers for secret management operations.
secrets/http/dto Package dto provides data transfer objects for HTTP request and response handling.	Package dto provides data transfer objects for HTTP request and response handling.
secrets/repository/mysql Package mysql implements secret persistence for MySQL databases.	Package mysql implements secret persistence for MySQL databases.
secrets/repository/postgresql Package repository implements data persistence for secret management.	Package repository implements data persistence for secret management.
secrets/usecase Package usecase defines the interfaces and implementations for secret management use cases.	Package usecase defines the interfaces and implementations for secret management use cases.
secrets/usecase/mocks
testutil Package testutil provides testing utilities for database integration tests.	Package testutil provides testing utilities for database integration tests.
tokenization Package tokenization provides secure, format-preserving tokenization for sensitive data.	Package tokenization provides secure, format-preserving tokenization for sensitive data.
tokenization/domain Package domain defines core tokenization domain models for data tokenization.	Package domain defines core tokenization domain models for data tokenization.
tokenization/http Package http provides HTTP handlers for tokenization key management and token operations.	Package http provides HTTP handlers for tokenization key management and token operations.
tokenization/http/dto Package dto provides data transfer objects for HTTP request and response handling.	Package dto provides data transfer objects for HTTP request and response handling.
tokenization/repository/mysql
tokenization/repository/postgresql Package repository implements data persistence for tokenization key and token management.	Package repository implements data persistence for tokenization key and token management.
tokenization/service Package service provides token generation services for various formats.	Package service provides token generation services for various formats.
tokenization/testing Package testing provides shared test utilities for tokenization module tests.	Package testing provides shared test utilities for tokenization module tests.
tokenization/usecase Package usecase defines interfaces and implementations for tokenization use cases.	Package usecase defines interfaces and implementations for tokenization use cases.
tokenization/usecase/mocks
transit/domain Package domain defines core transit encryption domain models.	Package domain defines core transit encryption domain models.
transit/http Package http provides HTTP handlers for transit key management and cryptographic operations.	Package http provides HTTP handlers for transit key management and cryptographic operations.
transit/http/dto Package dto provides data transfer objects for HTTP request and response handling.	Package dto provides data transfer objects for HTTP request and response handling.
transit/repository/mysql
transit/repository/postgresql Package repository implements data persistence for transit encryption key management.	Package repository implements data persistence for transit encryption key management.
transit/usecase Package usecase defines interfaces and implementations for transit encryption use cases.	Package usecase defines interfaces and implementations for transit encryption use cases.
transit/usecase/mocks
ui Package ui provides interactive CLI components and input validation for the application.	Package ui provides interactive CLI components and input validation for the application.
validation Package validation provides custom validation rules for the application.	Package validation provides custom validation rules for the application.