Show HN: Keeper — embedded secret store for Go (help me break it)

April 10, 2026
aisecuritybusinessscience
Detailed view of an open hard drive showcasing internal components against a white backdrop.
Photo by William Warby on Pexels

What is Keeper?

Keeper is an open-source cryptographic secret store for Go that, it has been reported, encrypts arbitrary byte payloads at rest and keeps them in an embedded bbolt database. It ships as three pluggable pieces: a Go library you can embed directly in a process, an HTTP handler (x/keephandler) to mount endpoints on any net/http mux, and a CLI with a persistent REPL and no-echo secret entry. Designed as the foundational secret layer for the Agbero load balancer, Keeper allegedly has no direct dependency on Agbero and can be used in any Go project.

How it protects secrets

The design leans heavily on modern primitives: Argon2id for master-key derivation and XChaCha20-Poly1305 for authenticated encryption by default. Buckets partition secrets and each bucket carries an immutable BucketSecurityPolicy; there are four security levels (PasswordOnly, AdminWrapped, HSM, Remote) that control how the Data Encryption Key (DEK) is protected and unlocked. Salt and Argon2 parameters are explicit in the repo — Argon2id with a 32-byte salt, t=3, m=64 MiB, p=4 for deriving the master key — and there’s a tamper-evident audit chain and per-bucket DEK isolation as extra defenses.

The catches (and the invitation)

There are practical trade-offs. LevelHSM and LevelRemote push key control outside the process to an HSM or remote KMS adapter — a good thing for key custody, but one that shifts the threat model and operational complexity. A built-in SoftHSM exists for testing; do not use it in production. The author explicitly asked the Hacker News crowd to help break it — a public challenge that’s half confidence, half humility. So: will the community find the missing edge case, race, or implementation detail? That’s the emotional core here — open-source security that wants to be poked.

Why this matters

Developer-operated secret stores embedded in the same process as application code are convenient. But convenience is where attackers love to lurk. Keeper’s mix of per-bucket policies, explicit crypto choices, and pluggable KMS backends makes it an interesting specimen for review — and a timely reminder that “works on my machine” isn’t a security argument. If you enjoy auditing crypto code or hunting for subtle vault bugs, this one comes with a built-in invitation: take a look, and, as the repo title requests, help break it.

Sources: github.com/agberohq, Hacker News