keephippo
keephippo logo
Vault wire-compatible · MPL-2.0 · single binary

Secrets management,
the open hippo way.

keephippo is a from-scratch, Vault-compatible secrets manager — a server, a CLI, and a web console that speak the same /v1/* API. Point your existing Vault clients at it and they just work.

Familiar by design

It keeps Vault's wire conventions — the /v1/ path model, the X-Vault-Token header, default port 8200, and the VAULT_ADDR / VAULT_TOKEN environment variables — so the tools you already use keep working.

$ export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN=kh…
$ keephippo secrets enable -path=secret kv
Success! Enabled the kv secrets engine at: secret/
$ keephippo kv put secret/myapp/db username=admin password=s3cr3t
Success! Data written to: secret/myapp/db
$ vault kv get secret/myapp/db        # the real Vault CLI, against keephippo
====== Data ======
Key         Value
---         -----
password    s3cr3t
username    admin

Batteries included

A curated, useful subset of Vault's surface — enough to run real workflows.

KV v1 & v2

Static and versioned key/value with soft-delete, undelete, destroy, and check-and-set.

Auth methods

token, userpass, approle, and TLS-certificate login — each issuing policy-scoped tokens.

Policies & tokens

HCL ACL policies, token lifecycle with TTLs and accessors, and identity entities/groups.

Transit

Encryption-as-a-service: encrypt/decrypt/rewrap, sign/verify, HMAC, and key rotation.

Leases

A first-class expiration manager that auto-revokes on expiry, with sys/leases/*.

Audit & wrapping

HMAC-obscured, fail-closed audit devices and single-use response wrapping.

Seal / unseal

Shamir unseal shares plus transit auto-unseal for hands-off boots.

Web console

An embedded browser UI at /ui with an in-browser interactive console.

See all features →

An in-binary web console

Enable ui = true and browse to /ui — no separate server, no framework.

keephippo web console — Secrets screen
⚠️ Not audited. keephippo is an educational / portfolio implementation and has not undergone a security audit. Don't use it to protect real secrets yet.