Show HN: Keeper – embedded secret store for Go (help me break it)

 (github.com)

27 points | by babawere 2 hours ago

8 comments

  • RALaBarge 7 minutes ago
    Hey I ran this request through my AI harness (beigeboxoss.com), first with a smaller local model and then validated with Trinity Large via OR. https://github.com/agberohq/keeper/issues/2 -- YMMV but wanted something to do with my coffee, thanks!
    [-]
    • Retr0id 3 minutes ago
      > The VerifyHMAC() function unconditionally returns true when the HMAC field is empty

      This kind of thing is super common in vibecoded crypto, I wonder why it keeps happening.

      [-]
      • RALaBarge 2 minutes ago
        Not sure, I've seen common things like this pop up a lot too, the same errors being tripped over. I'm not sure if it is a context thing or just a limitation of how the models work presently? For stuff that I'm using myself, I will run these through like the top 10 reasoning models on OR and just see where everything pans out.
  • Retr0id 9 minutes ago
    Mmmm vibecrypto, my favourite. I don't see anything obviously broken (at a glance) but as a perf improvement, there's little reason to use Argon2id for the "verification hash" step, might as well use sha256 there. There is also no need to use ConstantTimeCompare because the value being compared against is not secret.

    The "Crash-safe rotation WAL" feature sounds sketchy and it's what I'd audit closely, if I was auditing closely.

  • emanuele-em 10 minutes ago
    [delayed]
  • modelorona 32 minutes ago
    Name could conflict with Keeper Security
  • tietjens 12 minutes ago
    Could I use this to store secrets to hide env vars from agents?
  • n0n 33 minutes ago
    Genuine question: what's your thread model?

    Vault gives time limited Tokens with Network Boundary. Instead of Keeper, i would just use age:

    # write

    echo "my secret" | age -r <recipient-pubkey> > secret.age

    # read

    age -d -i key.txt secret.age

  • elthor89 1 hour ago
    I have been looking for something like this. I know openbao, hashicorp vault.

    But they require to be placed on a separate server, and come with their own infra management.

    Is the idea of this project to embed this into you app, instead of relying on .env or an external vault?

  • nonameiguess 30 minutes ago
    Keeper is already the name of a popular enterprise secrets store: https://docs.keeper.io/en/user-guides/web-vault

    I haven't used it, don't advocate for it, and have no opinion on either its viability or your product's viability for any specific use case. Mostly I just think it's a bit confusing to have two separate products in a very similar space with the same name.