Security infrastructure

Stop stitching.
Start shipping.

Replace seven security vendors with one binary. Credentials, encryption, search, authorization, certificates, secrets, notifications, and audit — wired together, ready to ship.

Start for free Self-host Moat

terminal

$ shroudb-moat --config moat.toml
INFO  moat::server listening on http=:8200 tcp=:8201
INFO  moat::sigil  ready — 3 keyspaces loaded
INFO  moat::cipher ready — 2 keyrings loaded
INFO  moat::keep   ready — storage encrypted

$ curl -sX POST localhost:8200/v1/sigil/issue/jwt \
    -H "Authorization: Bearer $TOKEN" \
    -d '{"subject":"user-42","ttl":"1h"}'
{"token":"eyJhbGciOiJFUzI1NiJ9...","expires_at":"2025-01-01T01:00:00Z"}

$ shroudb-cli --port 8201
> ENGINE cipher
OK
> ENCRYPT payments "4111-1111-1111-1111"
v1:gcm:aGVsbG8gd29ybGQ=
> DECRYPT payments v1:gcm:aGVsbG8gd29ybGQ=
4111-1111-1111-1111

Delete a row from your invoices.

One vendor instead of seven. One auth model. One config. One place to debug when something breaks at 2am.

HashiCorp Vault→ Sigil + Keep

AWS KMS→ Cipher

Auth0→ Sigil

Open Policy Agent→ Sentry

Let's Encrypt + step-ca→ Forge

SendGrid→ Courier

Datadog→ Chronicle

One binary. One config. One auth model. Zero inter-service network hops. Zero vendor coordination.

Pick the engine. Skip the integration work.

Nine focused engines that already speak the same auth, config, and telemetry. Compose them like libraries — without the glue.

Sigil

Issue and rotate every kind of credential.

Stop building yet another JWT service. Sigil issues and rotates JWTs, API keys, HMAC secrets, refresh tokens, and passwords from one envelope-encrypted store — with lifecycle hooks and pub/sub baked in.

ISSUEVERIFYREVOKEROTATE

Cipher

Encrypt anything without touching the keys.

Hand Cipher a plaintext, get back a ciphertext — your app never sees a key. Rotate every key with one command, and trust that plaintext never lands on disk.

ENCRYPTDECRYPTREWRAPSIGN

Stash

Encrypted object storage you can revoke instantly.

Stash encrypts blobs before they reach S3 and derives a fresh key per object. Shred the wrapping key and the data is gone — perfect for forgettable user uploads and sensitive artifacts.

STORERETRIEVEDELETE_BLOBREWRAP_BLOB

Veil

Search encrypted data without leaking it.

Veil runs fuzzy, prefix, and contains queries over encrypted documents — decrypting, matching, and re-encrypting in memory. The keys stay where they belong: in Cipher.

ENCRYPTED_SEARCHFUZZYPREFIXCONTAINS

Forge

Run an internal CA without running a PKI team.

Forge issues, renews, and revokes short-lived X.509 certificates with a handful of commands. The internal CA you needed yesterday — without a six-month PKI project.

ISSUE_CERTRENEWREVOKE_CERTCA_INFO

Sentry

Authorization decisions you can prove in court.

Sentry evaluates versioned policies and signs every allow and deny. The audit trail isn't a log file you have to trust — it's cryptographically verifiable end-to-end.

EVALUATECHECKPOLICY_LOADDECISION_LOG

Courier

Send sensitive notifications without leaving a trail.

Courier decrypts, renders, sends, and zeroizes — plaintext exists only long enough to leave the building. PII-bearing emails, alerts, and webhooks without the lingering footprint.

DELIVERRENDERDISPATCHZEROIZE

Keep

Get secrets out of env vars for good.

Database passwords, API keys, connection strings — out of .env files and into Keep. Encrypted by Cipher, scoped by Sentry, rotatable on demand.

PUTGETDELETELIST

Chronicle

One audit trail across every engine.

Chronicle aggregates decision logs, command traces, and key lifecycle events into one queryable stream. Answer auditor questions without grepping seven log files.

QUERYSTREAMALERTAUDIT_LOG

Host it yourself. Or don't.

Same engines, same API, same SDKs. Switch between Cloud and Moat by changing one URL.

ShrouDB Cloud

Managed platform

Skip the deploy. Get every engine running behind a URL in under a minute, with a free tier that comfortably covers side projects.

Free tier: 10k ops/mo, all engines
Instant provisioning, zero config
Managed upgrades, backups, TLS
SLA and audit exports on Pro

Start for free

ShrouDB Moat

Self-hosted gateway

Keep your data on your infrastructure. One binary, one port, one config — every engine bundled, no service mesh required.

Single binary, single port
One config file, all nine engines
Dual protocol: HTTP + TCP
Runtime CONFIG commands, no restarts

Install Moat

Feels right in your terminal and your editor.

Predictable commands, typed SDKs, telemetry that's already wired up. The boring parts are done.

Tune it without redeploying

Change rotation intervals, CORS origins, and rate limits at runtime. Every mutation is appended to the WAL.

> CONFIG SET sigil.keyspaces.jwt.rotation_days 7
OK
> CONFIG LIST sigil.keyspaces
jwt.rotation_days = 7 (runtime)
jwt.default_ttl   = 1h (bootstrap)

One token, least privilege everywhere

Scope-based auth across every engine. Grant cipher:encrypt/payments without handing over keep:get/*.

[access]
mode = "token"

[[access.policies]]
token = "$APP_TOKEN"
scopes = [
  "cipher:encrypt/payments",
  "sigil:verify/*",
]

See what every engine is doing

Traces, audit logs, and OTEL export ship in the binary. Chronicle ingests every event from every engine, no extra agents.

[telemetry]
console    = true
audit_file = "/var/log/shroudb/audit.jsonl"

[telemetry.otel]
endpoint     = "http://tempo:4317"
service_name = "shroudb"

SDKs that match the protocol

Typed clients for TypeScript, Python, Ruby, and Go. Method names map 1:1 to the engine commands you read in the docs.

import { Cipher } from "@shroudb/sdk";

const cipher = new Cipher({ token });
const ct = await cipher.encrypt({
  keyring: "payments",
  plaintext: card,
  context: "user-42",
});

Ship security infrastructure today.

Start on Cloud in a minute. Move to Moat whenever you want — your code doesn't change.

Start for free Read the docs

Stop stitching.Start shipping.