DVault is a Docker-based secrets manager that provides a secure REST API for storing and retrieving encrypted secrets. Built with Rust and Redis, DVault offers high performance and enterprise-grade security for managing sensitive data.
- REST API: Simple HTTP API for secret management
- Encryption: AES-256-GCM encryption for all stored secrets
- Redis Backend: Fast, reliable storage with Redis
- Docker Native: Containerized deployment with Docker Compose
- Schema-First: JSON Schema-driven API design with type-safe code generation
graph TB
subgraph "DVault Server"
A[Client Request] --> B[Actix-web Handler]
B --> C{Request Type}
C -->|Set Cipher Key| D[Validate Key]
D --> E[Store in AppData]
E --> F[Return Success]
C -->|Secret Operation| G[Get AppData]
G --> H[Create DVault Instance]
H --> I[Apply Cipher Key]
I --> J[Perform Operation]
subgraph "Shared State"
E -.-> K[AppData.cipher_key<br/>RwLock<Option<String>>]
G -.-> K
end
subgraph "Storage"
J --> L[(Redis)]
end
end
style K fill:#f9f,stroke:#333,stroke-width:2px
style L fill:#ff9,stroke:#333,stroke-width:2px
- Docker and Docker Compose
- Make (for build automation)
- Rust (for local development)
-
Clone the repository
git clone https://github.com/cabeaulac/dvault cd dvault -
Configure environment (optional)
cd src/rust/dvault # Create a .env file with your Docker registry settings cat > .env << EOF USERNAME=your-docker-username NAMESPACE=dvault REGISTRY=ghcr.io # CR_PAT=your_github_token_here EOF
-
Generate schemas and build
cd ../../.. # Back to project root make gen-schemas cd src/rust/dvault make build-local-dev
-
Start services
make compose-up
-
DVault is now running
- HTTP:
http://localhost:8080
- HTTP:
DVault provides the following REST API endpoints:
POST /api/v1/cipher-key- Set the master encryption key (stored in app state)POST /api/v1/secret- Store a new secretPOST /api/v1/secret/get- Retrieve a secret by keyGET /api/v1/secrets- List all secret keysDELETE /api/v1/secret/{key}- Delete a secret
# Set cipher key (persists in app state)
curl -X POST http://localhost:8080/api/v1/cipher-key \
-H "Content-Type: application/json" \
-d '{"key": "your-encryption-key"}'
# Store a secret
curl -X POST http://localhost:8080/api/v1/secret \
-H "Content-Type: application/json" \
-d '{"key": "db-password", "value": "super-secret-password"}'
# Retrieve a secret
curl -X POST http://localhost:8080/api/v1/secret/get \
-H "Content-Type: application/json" \
-d '{"key": "db-password"}'dvault/
├── schemas/ # JSON Schema definitions
├── src/rust/dvault/ # Rust workspace
│ ├── dvault_bin/ # Main API server binary
│ ├── dvault_lib/ # Core encryption/storage library
│ ├── dvault_schema_lib/ # Generated schema types
│ └── docker-compose.yml # Development environment
├── Makefile # Root build automation
└── CLAUDE.md # Development guide
# Build all components
cd src/rust/dvault
# Build and run tests
make build-local-dev
# Run tests without build
make test# Run unit tests with cargo
cargo test
# Run integration tests
make testDVault includes a test environment with an Alpine container for manual API testing:
# Start the test environment
make compose-test-up
# Access the test client container
docker exec -it test-client sh
# Inside the container, test the API:
# Health check
curl http://dvault:8080/health
# Set cipher key
curl -X POST http://dvault:8080/api/v1/cipher-key \
-H "Content-Type: application/json" \
-d '{"key": "test-encryption-key-123"}'
# Store a secret
curl -X POST http://dvault:8080/api/v1/secret \
-H "Content-Type: application/json" \
-d '{"key": "test-secret", "value": "my-secret-value"}' | jq
# Retrieve a secret
curl -X POST http://dvault:8080/api/v1/secret/get \
-H "Content-Type: application/json" \
-d '{"key": "test-secret"}' | jq
# List all secrets
curl http://dvault:8080/api/v1/secrets | jq
# Stop the test environment
exit
make compose-test-downThe test client includes curl and jq pre-installed for easy API testing.
DVault runtime can be configured using environment variables:
REDIS_HOST- Redis server hostname (default:redis)REDIS_PORT- Redis server port (default:6379)HTTP_PORT- HTTP server port (default:8080)
For Docker registry and deployment, configure the .env file in src/rust/dvault/:
# Create .env file with your settings
cd src/rust/dvault
cat > .env << EOF
USERNAME=your-docker-username
NAMESPACE=dvault
REGISTRY=ghcr.io
# CR_PAT=your_github_token_here
EOFRequired variables in .env:
USERNAME- Docker registry username (default:cabeaulac)NAMESPACE- Docker image namespace (default:dvault)REGISTRY- Docker registry URL (default:ghcr.io)CR_PAT- GitHub Container Registry Personal Access Token (required for pushing images)
To generate a GitHub token:
- Go to https://github.com/settings/tokens
- Create a token with
write:packagespermission - Add it to your
.envfile asCR_PAT=your_token_here
- Encryption: All secrets are encrypted using AES-256-GCM before storage
- Key Management: Master encryption key is stored in application state (memory only)
- Key Persistence: Cipher keys persist across HTTP requests within the same server instance
- Network Security: HTTPS recommended for production deployments
- Access Control: Consider implementing authentication/authorization
- Data at Rest: Redis persistence should be configured appropriately
-
Build production images
cd src/rust/dvault make docker-push-prod -
Deploy with Docker Compose
make deploy-build # Transfer dvault-deploy.tar.gz to production server
This project is licensed under the MIT License - see the LICENSE file for details.
For questions and support, please open an issue on GitHub.