kv2 is an encrypted & versioned secrets manager for tailnets, built for homelab secrets management. This repository contains the server and client components, as well as the reference client implementation in the form of a CLI.
- Simple: deployed as a single binary or Docker container, with a flexible API for management.
- Encrypted: secrets are encrypted at rest using age and user-controlled keys.
- Versioned: up to nine versions of each secret are stored to provide basic change history.
- Secure: built with the Tailscale client library to provide secure access to the API.
- External KMS: optionally integrates with cloud key management systems for securely retrieving age keys.
- Cloud Storage: optionally leverage cloud storage system for backup and recovery of the secrets database.
These features makes kv2 the perfect secrets management solution for my homelab, but it may not be suitable for production environments.
If you are just looking to move fast and break things, here is the server container running in development mode. No Tailscale, no persistence, and no encryption.
docker run --rm --name kv2 -p 8081:8081 -e KV2_DEV_MODE=true ghcr.io/hugginsio/kv2:latestYou can interact with the server using the API or the provided CLI. You can download the CLI executable from the Releases page or install it with Homebrew:
brew install hugginsio/tap/kv2Additional documentation can be found in the docs directory.
- @tailscale/setec, which largely inspired
kv2.
"Tailscale" is a registered trademark of Tailscale Inc. The kv2 project is not endorsed by, sponsored by, or affiliated with Tailscale Inc.
