ShrouDB Engine
Keep
Get secrets out of env vars for good.
Database passwords, API keys, connection strings — out of .env files and into Keep. Encrypted by Cipher, scoped by Sentry, rotatable on demand.
PUTGETDELETELISTROTATE_SECRET
Features
- Store, retrieve, and rotate arbitrary secrets
- Per-path encryption with HKDF derivation
- Version history with configurable retention
- Auto-rotation hooks
- Path-based access control via Sentry
- WAL-encrypted storage
Quickstart (standalone)
keep.toml
bind = ":7008"
[storage]
max_versions = 10
default_ttl = "0"terminal
$ shroudb-keep --config keep.tomlCommand reference
| Command | Args | Description |
|---|---|---|
| PUT | <path> <value> | Store a secret |
| GET | <path> [--version N] | Retrieve a secret |
| DELETE | <path> | Soft-delete a secret |
| LIST | <prefix> | List secrets under a prefix |
| VERSIONS | <path> | List all versions |
| ROTATE_SECRET | <path> | Rotate a secret's wrapping key |
Bundle into Moat
Drop Keep into a unified Moat process and it inherits the shared auth layer, storage, and telemetry — no extra wiring.
moat.toml
[engines.keep]
enabled = true
max_versions = 10Run Keep in production today
Free on ShrouDB Cloud up to 10k ops/month — no card required.