ShrouDB Engine
Stash
Encrypted object storage you can revoke instantly.
Stash encrypts blobs before they reach S3 and derives a fresh key per object. Shred the wrapping key and the data is gone — perfect for forgettable user uploads and sensitive artifacts.
STORERETRIEVEDELETE_BLOBREWRAP_BLOB
Features
- Envelope-encrypted blob storage backed by S3-compatible object stores
- Per-object key derivation via HKDF
- Forensic watermarking and fingerprinting
- Cascading revocation — shred the wrapping key, the blob is gone
- Plaintext never hits storage, only wrapped data keys
- Integrates with Cipher for key lifecycle
Quickstart (standalone)
stash.toml
bind = ":7003"
[storage]
backend = "s3"
bucket = "myorg-stash"
region = "us-east-1"
[cipher]
mode = "embedded"terminal
$ shroudb-stash --config stash.tomlCommand reference
| Command | Args | Description |
|---|---|---|
| STORE | <path> <bytes> | Encrypt and store a blob |
| RETRIEVE | <path> | Fetch and decrypt a blob |
| DELETE_BLOB | <path> | Remove a blob |
| REWRAP_BLOB | <path> | Rotate the wrapping key |
| LIST | <prefix> | List blobs under a prefix |
Bundle into Moat
Drop Stash into a unified Moat process and it inherits the shared auth layer, storage, and telemetry — no extra wiring.
moat.toml
[engines.stash]
enabled = true
[engines.stash.storage]
backend = "s3"
bucket = "myorg-stash"Run Stash in production today
Free on ShrouDB Cloud up to 10k ops/month — no card required.