Secrets management,
the open hippo way.
keephippo is a from-scratch, Vault-compatible secrets manager — a server,
a CLI, and a web console that speak the same /v1/* API. Point your existing
Vault clients at it and they just work.
Familiar by design
It keeps Vault's wire conventions — the /v1/ path model, the
X-Vault-Token header, default port 8200, and the VAULT_ADDR /
VAULT_TOKEN environment variables — so the tools you already use keep working.
$ export VAULT_ADDR=http://127.0.0.1:8200 VAULT_TOKEN=kh… $ keephippo secrets enable -path=secret kv Success! Enabled the kv secrets engine at: secret/ $ keephippo kv put secret/myapp/db username=admin password=s3cr3t Success! Data written to: secret/myapp/db $ vault kv get secret/myapp/db # the real Vault CLI, against keephippo ====== Data ====== Key Value --- ----- password s3cr3t username admin
Batteries included
A curated, useful subset of Vault's surface — enough to run real workflows.
KV v1 & v2
Static and versioned key/value with soft-delete, undelete, destroy, and check-and-set.
Auth methods
token, userpass, approle, and TLS-certificate login — each issuing policy-scoped tokens.
Policies & tokens
HCL ACL policies, token lifecycle with TTLs and accessors, and identity entities/groups.
Transit
Encryption-as-a-service: encrypt/decrypt/rewrap, sign/verify, HMAC, and key rotation.
Leases
A first-class expiration manager that auto-revokes on expiry, with sys/leases/*.
Audit & wrapping
HMAC-obscured, fail-closed audit devices and single-use response wrapping.
Seal / unseal
Shamir unseal shares plus transit auto-unseal for hands-off boots.
Web console
An embedded browser UI at /ui with an in-browser interactive console.
An in-binary web console
Enable ui = true and browse to /ui — no separate server, no framework.
