ShrouDB Engine
Cipher
Encrypt anything without touching the keys.
Hand Cipher a plaintext, get back a ciphertext — your app never sees a key. Rotate every key with one command, and trust that plaintext never lands on disk.
ENCRYPTDECRYPTREWRAPSIGNVERIFY_SIGNATURE
Features
- Encrypt and decrypt without ever exposing key material
- Multiple algorithms: AES-256-GCM, ChaCha20-Poly1305, Ed25519, ECDSA-P256, HMAC-SHA256
- Automatic key rotation with versioned keyrings
- Convergent encryption for deterministic ciphertext
- Data key generation for envelope encryption
- Signing and signature verification
- Plaintext never touches disk
Quickstart (standalone)
cipher.toml
bind = ":7002"
[keyrings.payments]
algorithm = "aes-256-gcm"
rotation_days = 30
[keyrings.signatures]
algorithm = "ed25519"
rotation_days = 90terminal
$ shroudb-cipher --config cipher.tomlCommand reference
| Command | Args | Description |
|---|---|---|
| ENCRYPT | <keyring> <plaintext> [CONTEXT ctx] | Encrypt bytes under a keyring |
| DECRYPT | <keyring> <ciphertext> | Decrypt a Cipher ciphertext |
| REWRAP | <keyring> <ciphertext> | Re-encrypt to latest key version |
| GENERATE_DATA_KEY | <keyring> | Envelope-encrypted data key |
| SIGN | <keyring> <message> | Produce a signature |
| VERIFY_SIGNATURE | <keyring> <msg> <sig> | Verify a signature |
| ROTATE | <keyring> | Introduce a new key version |
| KEY_INFO | <keyring> | Inspect versions and algorithm |
Bundle into Moat
Drop Cipher into a unified Moat process and it inherits the shared auth layer, storage, and telemetry — no extra wiring.
moat.toml
[engines.cipher]
enabled = true
[engines.cipher.keyrings.payments]
algorithm = "aes-256-gcm"Run Cipher in production today
Free on ShrouDB Cloud up to 10k ops/month — no card required.