ShrouDB
Get started
Getting started

Quickstart

Stand up ShrouDB Moat with Sigil + Cipher in about five minutes.

1. Create a config file

A single moat.toml wires together every engine you want to run.

moat.toml
[server]
http_bind = ":8200"
bind      = ":8201"  # TCP

[storage]
dir = "/var/lib/shroudb"

[engines.sigil]
enabled = true

[engines.sigil.keyspaces.jwt]
type        = "jwt"
algorithm   = "ES256"
default_ttl = "1h"

[engines.cipher]
enabled = true

[engines.cipher.keyrings.payments]
algorithm     = "aes-256-gcm"
rotation_days = 30

[access]
mode = "token"

[[access.policies]]
token  = "${MOAT_ADMIN_TOKEN}"
scopes = ["*:*/*"]

2. Set the master key

Moat uses an AES-256 master key to encrypt its WAL and derive per-engine keys with HKDF. Rotate it by re-wrapping engine keys through Cipher.

terminal
$ export SHROUDB_MASTER_KEY=$(openssl rand -hex 32)
$ export MOAT_ADMIN_TOKEN=$(openssl rand -hex 32)

3. Start Moat

terminal
$ shroudb-moat --config moat.toml
INFO  moat::server listening on http=:8200 tcp=:8201
INFO  moat::sigil  ready — 1 keyspace loaded
INFO  moat::cipher ready — 1 keyring loaded
INFO  moat::storage wal=encrypted master_key=hkdf

4. Issue a JWT over HTTP

terminal
$ curl -sX POST http://localhost:8200/v1/sigil/issue/jwt \
    -H "Authorization: Bearer $MOAT_ADMIN_TOKEN" \
    -d '{"subject":"user-42","ttl":"1h"}'

{"token":"eyJhbGciOiJFUzI1NiJ9...","expires_at":"2025-01-01T01:00:00Z"}

5. Encrypt a field over TCP

terminal
$ shroudb-cli --port 8201
> AUTH $MOAT_ADMIN_TOKEN
OK
> ENGINE cipher
OK
> ENCRYPT payments "4111-1111-1111-1111"
v1:gcm:aGVsbG8gd29ybGQ=
> DECRYPT payments v1:gcm:aGVsbG8gd29ybGQ=
4111-1111-1111-1111

6. Runtime CONFIG

Change rotation, CORS, rate limits, and more without restarting. Every mutation is appended to the WAL and survives restarts.

terminal
> CONFIG SET sigil.keyspaces.jwt.rotation_days 7
OK
> CONFIG GET sigil.keyspaces.jwt.rotation_days
7 (runtime)
> CONFIG LIST sigil.keyspaces.jwt
type          = "jwt"          (bootstrap)
algorithm     = "ES256"        (bootstrap)
default_ttl   = "1h"           (bootstrap)
rotation_days = 7              (runtime)

Next steps