secrets

module
v0.5.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 19, 2026 License: MIT

README ΒΆ

πŸ” Secrets

A lightweight secrets manager with envelope encryption, transit encryption, API auth, and audit logs.

CI Go Report Card

Secrets is inspired by HashiCorp Vault ❀️, but it is intentionally much simpler and was not designed to compete with Vault.

πŸš€ Quick Start (Docker-first)

The default way to run Secrets is the published Docker image:

docker pull allisson/secrets:v0.5.0

Use pinned tags for reproducible setups. latest is also available for fast iteration.

Docs release/API metadata source: docs/metadata.json.

Then follow the Docker setup guide in docs/getting-started/docker.md.

⚠️ After rotating a master key or KEK, restart API server instances so they load the updated key material.

🧭 Choose Your Path

  1. 🐳 Run with Docker image (recommended): docs/getting-started/docker.md
  2. πŸ’» Run locally for development: docs/getting-started/local-development.md

πŸ†• What's New in v0.5.0

  • πŸ›‘οΈ Added per-client rate limiting for authenticated API endpoints
  • 🌐 Added configurable CORS support (disabled by default)
  • ⏱️ Changed default token expiration from 24h to 4h for stronger security
  • πŸ” Added comprehensive security hardening guide: docs/operations/security-hardening.md
  • πŸ“˜ Added release notes: docs/releases/v0.5.0.md
  • ⬆️ Added upgrade guide: docs/releases/v0.5.0-upgrade.md
  • πŸ“¦ Updated pinned Docker docs/examples to allisson/secrets:v0.5.0

πŸ“š Docs Map

Release note location:

All detailed guides include practical use cases and copy/paste-ready examples.

✨ What You Get

  • πŸ” Envelope encryption (Master Key -> KEK -> DEK -> Secret Data)
  • πŸš„ Transit encryption (/v1/transit/keys/*) for encrypt/decrypt as a service (decrypt input uses <version>:<base64-ciphertext>; see Transit API docs, create vs rotate, and error matrix)
  • 🎫 Tokenization API (/v1/tokenization/*) for token generation, detokenization, validation, and revocation
  • πŸ‘€ Token-based authentication and policy-based authorization
  • πŸ“¦ Versioned secrets by path (/v1/secrets/*path)
  • πŸ“œ Audit logs with request correlation (request_id) and filtering
  • πŸ“Š OpenTelemetry metrics with Prometheus-compatible /metrics export

🌐 API Overview

  • Health: GET /health
  • Readiness: GET /ready
  • Token issuance: POST /v1/token
  • Clients: GET/POST /v1/clients, GET/PUT/DELETE /v1/clients/:id
  • Secrets: POST/GET/DELETE /v1/secrets/*path
  • Transit: POST /v1/transit/keys, POST /v1/transit/keys/:name/rotate, POST /v1/transit/keys/:name/encrypt, POST /v1/transit/keys/:name/decrypt, DELETE /v1/transit/keys/:id (create vs rotate, error matrix)
  • Tokenization: POST /v1/tokenization/keys, POST /v1/tokenization/keys/:name/rotate, DELETE /v1/tokenization/keys/:id, POST /v1/tokenization/keys/:name/tokenize, POST /v1/tokenization/detokenize, POST /v1/tokenization/validate, POST /v1/tokenization/revoke
  • Audit logs: GET /v1/audit-logs
  • Metrics: GET /metrics (available when METRICS_ENABLED=true)

πŸ“„ License

MIT. See LICENSE.

See also

Directories ΒΆ

Path Synopsis
cmd
app command
Package main provides the entry point for the application with CLI commands.
 Package main provides the entry point for the application with CLI commands.
app/commands
Package commands contains CLI command implementations for the application.
 Package commands contains CLI command implementations for the application.
internal
app
Package app provides dependency injection container for assembling application components.
 Package app provides dependency injection container for assembling application components.
auth/domain
Package domain defines authentication and authorization domain models and business logic.
 Package domain defines authentication and authorization domain models and business logic.
auth/http
Package http provides HTTP handlers for authentication and client management operations.
 Package http provides HTTP handlers for authentication and client management operations.
auth/http/dto
Package dto provides data transfer objects for HTTP request and response handling.
 Package dto provides data transfer objects for HTTP request and response handling.
auth/http/mocks
Package mocks provides mock implementations for testing HTTP handlers.
 Package mocks provides mock implementations for testing HTTP handlers.
auth/repository
Package repository implements data persistence for authentication and authorization entities.
 Package repository implements data persistence for authentication and authorization entities.
auth/service
Package service provides technical services for authentication operations.
 Package service provides technical services for authentication operations.
auth/service/mocks
auth/usecase
Package usecase implements business logic orchestration for authentication operations.
 Package usecase implements business logic orchestration for authentication operations.
auth/usecase/mocks
config
Package config provides application configuration through environment variables.
 Package config provides application configuration through environment variables.
crypto/domain
Package domain defines core cryptographic domain models for envelope encryption.
 Package domain defines core cryptographic domain models for envelope encryption.
crypto/repository
Package repository implements data persistence for KEKs and DEKs.
 Package repository implements data persistence for KEKs and DEKs.
crypto/service
Package service provides cryptographic services for AEAD cipher management and key operations.
 Package service provides cryptographic services for AEAD cipher management and key operations.
crypto/service/mocks
crypto/usecase
Package usecase defines business logic interfaces for KEK operations and repository contracts.
 Package usecase defines business logic interfaces for KEK operations and repository contracts.
crypto/usecase/mocks
database
Package database provides database connection management and utilities.
 Package database provides database connection management and utilities.
database/mocks
errors
Package errors provides standardized domain errors for business logic.
 Package errors provides standardized domain errors for business logic.
http
Package http provides HTTP server implementation and request handlers.
 Package http provides HTTP server implementation and request handlers.
httputil
Package httputil provides HTTP utility functions for request and response handling.
 Package httputil provides HTTP utility functions for request and response handling.
metrics
Package metrics provides OpenTelemetry metrics instrumentation with Prometheus export.
 Package metrics provides OpenTelemetry metrics instrumentation with Prometheus export.
secrets/domain
Package domain defines the core domain models and types for secret management.
 Package domain defines the core domain models and types for secret management.
secrets/http
Package http provides HTTP handlers for secret management operations.
 Package http provides HTTP handlers for secret management operations.
secrets/http/dto
Package dto provides data transfer objects for HTTP request and response handling.
 Package dto provides data transfer objects for HTTP request and response handling.
secrets/repository
Package repository implements data persistence for secret management.
 Package repository implements data persistence for secret management.
secrets/usecase
Package usecase defines the interfaces and implementations for secret management use cases.
 Package usecase defines the interfaces and implementations for secret management use cases.
secrets/usecase/mocks
testutil
Package testutil provides testing utilities for database integration tests.
 Package testutil provides testing utilities for database integration tests.
tokenization/domain
Package domain defines core tokenization domain models for data tokenization.
 Package domain defines core tokenization domain models for data tokenization.
tokenization/http
Package http provides HTTP handlers for tokenization key management and token operations.
 Package http provides HTTP handlers for tokenization key management and token operations.
tokenization/http/dto
Package dto provides data transfer objects for HTTP request and response handling.
 Package dto provides data transfer objects for HTTP request and response handling.
tokenization/repository
Package repository implements data persistence for tokenization key and token management.
 Package repository implements data persistence for tokenization key and token management.
tokenization/service
Package service provides token generation services for various formats.
 Package service provides token generation services for various formats.
tokenization/usecase
Package usecase defines interfaces and implementations for tokenization use cases.
 Package usecase defines interfaces and implementations for tokenization use cases.
tokenization/usecase/mocks
transit/domain
Package domain defines transit encryption domain models and errors.
 Package domain defines transit encryption domain models and errors.
transit/http
Package http provides HTTP handlers for transit key management and cryptographic operations.
 Package http provides HTTP handlers for transit key management and cryptographic operations.
transit/http/dto
Package dto provides data transfer objects for HTTP request and response handling.
 Package dto provides data transfer objects for HTTP request and response handling.
transit/repository
Package repository implements data persistence for transit encryption key management.
 Package repository implements data persistence for transit encryption key management.
transit/usecase
Package usecase defines interfaces and implementations for transit encryption use cases.
 Package usecase defines interfaces and implementations for transit encryption use cases.
transit/usecase/mocks
validation
Package validation provides custom validation rules for the application.
 Package validation provides custom validation rules for the application.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.