April 10, 2026
Secrets, drama, and a name clash
Show HN: Keeper – embedded secret store for Go (help me break it)
Show HN’s “Keeper” sparks love, side‑eye, and a name war
TLDR: A new embedded Go secret store aims to replace external vaults with simple, fast, in-app encryption. The crowd is torn between loving the convenience, warning about the “Keeper” name clash, and saying “just use age,” turning a tech release into a branding squabble and simplicity showdown.
A new DIY-friendly secret store for Go just dropped, and the comments instantly split into teams. Fans cheered the idea of baking secrets right into your app—no separate server, no ops circus. One excited user basically asked, “So this replaces my .env file and those bulky vaults?” Meanwhile, the skeptics rolled in hot: one voice fired off the classic minimalist take—just use age (a simple file encryption tool)—and called it a day.
Then came the drama. Several folks pointed out that “Keeper” is already a well-known enterprise password manager, linking to docs.keeper.io. Cue the branding sirens: is this a name collision or just a confusing coincidence? The thread also had a viral typo: someone asked for the project’s “thread model” (yes, they meant threat), instantly becoming a running joke about whether the real risk is hackers… or Reddit threads.
Under the memes, the pitch is clear: Argon2id for strong password derivation, XChaCha20-Poly1305 for encryption, stored in a tiny embedded database, plus a library, an HTTP add-on, and a command-line tool. Power users nerded out over tiers like admin-wrapped keys and hardware modules, while pragmatists just wanted to know: “Can this hide env vars from build agents?” The vibe: promising tech, spicy branding, and a clean split between convenience lovers and keep-it-simple purists.
Key Points
- •Keeper is an embedded secret store for Go that encrypts data at rest with Argon2id-derived keys and XChaCha20-Poly1305, persisting to bbolt.
- •It ships as a Go library, an HTTP handler (x/keephandler) for net/http, and a CLI (cmd/keeper) with a persistent REPL and secure input.
- •Secrets are organized into buckets with immutable security policies; four levels are supported: PasswordOnly, AdminWrapped, HSM, and Remote.
- •HSM and Remote levels delegate DEK wrap/unwrap to an HSMProvider or an HTTPS remote provider, with pre-built configs for HashiCorp Vault Transit, AWS KMS, and GCP Cloud KMS; mutual TLS is recommended.
- •Master key derivation uses Argon2id with a random 32-byte salt and a stored verification hash; per-bucket DEKs and KEKs are derived via HKDF-SHA256.