Your security stack,
in one process.

Keep your data on your hardware. Moat bundles every ShrouDB engine into a single binary — no sidecars, no service mesh, nothing crossing the network just to encrypt a string.

Install Moat Read the architecture

From zero to running in one command.

Point Moat at a master key and a config file. That's the whole install.

terminal

$ docker run --rm -it \
    -p 8200:8200 -p 8201:8201 \
    -v $(pwd)/moat.toml:/etc/shroudb/moat.toml \
    -e SHROUDB_MASTER_KEY \
    ghcr.io/shroudb/moat:latest

INFO  moat::server listening on http=:8200 tcp=:8201
INFO  moat::sigil  ready
INFO  moat::cipher ready
INFO  moat::keep   ready

Run it as one process

Every engine core compiled into a single binary. No sidecars to deploy, no mesh to configure, no service discovery to wire up.

Hit it however you want

HTTP on :8200, TCP on :8201. Same commands, same auth — pick whichever protocol suits the call site.

One config to rule them all

moat.toml wires every engine, storage backend, auth policy, and telemetry sink. Nothing to coordinate across files.

Encrypted on disk by default

Every mutation is AES-256-GCM encrypted before it touches storage. Per-engine HKDF derivation from a single master key — you manage one secret.

Reconfigure without restarts

Change TTLs, rotation cadence, CORS, and rate limits at runtime. Every mutation persists to the encrypted WAL.

Least privilege out of the box

One token model across every engine. Grant cipher:encrypt/payments without exposing keep:get/*.

Don't want to run it yourself?

ShrouDB Cloud runs the identical engines for you, free up to 10k ops/month.

Try ShrouDB Cloud Moat on GitHub

Your security stack,in one process.