Keeper is an embeddable secret store for Go applications that uses Argon2id key derivation and XChaCha20-Poly1305 encryption by default. The library provides four security levels, per-bucket DEK isolation, and tamper-evident audit chains, designed as a lightweight alternative to Vault for local encrypted storage. It's built for situations where environment variables feel too exposed and you need something more secure.

The system partitions secrets into buckets with immutable security policies that can't be changed after creation. LevelPasswordOnly buckets unlock automatically with the master passphrase, while LevelAdminWrapped requires individual admin credentials for each bucket. LevelHSM and LevelRemote delegate key management to hardware security modules or remote KMS services like HashiCorp Vault Transit, AWS KMS, and GCP Cloud KMS.

Keeper ships as three independent components: a Go library for embedding hardened secret stores, an HTTP handler for mounting endpoints with access control, and a CLI with a persistent REPL session. The author explicitly invites security researchers to find edge cases, race conditions, and crypto misuse, noting the project is early enough for meaningful feedback before production deployment.