Bastion is a single-user controlled, multi-tenant E2EE secrets dashboard built with Go and React. It provides a secure, self-hosted fortress to manage multiple client secrets via a powerful CLI and a modern dashboard UI, ensuring data stays private with a robust blind-backend architecture.
- End-to-End Encryption (E2EE): All secrets are encrypted client-side (CLI or Dashboard UI) before reaching the server.
- Key Wrapping: Uses a multi-layered key hierarchy (Master Key -> Project Data Key -> Secret).
- Blind Backend: The server never processes or stores plaintext secrets or raw keys.
- Multi-User Access: Admin can delegate project-specific access to Collaborators using secure re-wrapping techniques.
- Audit Logging: Every sensitive operation is cryptographically linked and logged.
For detailed information on how to use Bastion, please refer to the following guides:
- Getting Started: Prerequisites and initial project setup.
- Configuration: Detailed explanation of environment variables and configuration settings.
- Initial Steps: How to start the database, initialize the dashboard, and run the services.
- Local Development Workflow: A practical guide to using the CLI for daily secret management.
- CLI Reference: Full command reference for the Bastion CLI.
- Installation Options: How to install Bastion on Linux, macOS, and Windows.
Please see CONTRIBUTING.md for detailed development instructions.
This project is licensed under the MIT License - see the LICENSE file for details.
Built with ❤️ by dcdavidev