Skip to content

zstrikehq/questore

BranchesTags

Repository files navigation

questore

A self-hosted secret store. Secrets are encrypted with AES-256-GCM and stored in SQLite.

Server

Requires environment variables:

QUESTORE_ENCRYPTION_KEY=<64 hex chars>
QUESTORE_ADMIN_TOKEN=<your-admin-token>
QUESTORE_READ_TOKEN=<your-read-token>
QUESTORE_DB_PATH=./vault.db        # optional, default: ./vault.db
QUESTORE_PORT=8080                  # optional, default: 8080

Deploy with Docker or directly to Fly.io:

cd questore-server
# Change `app` in fly.toml to a unique name
fly deploy
fly secrets set \
  QUESTORE_ENCRYPTION_KEY=$(openssl rand -hex 32) \
  QUESTORE_ADMIN_TOKEN=$(openssl rand -hex 24) \
  QUESTORE_READ_TOKEN=$(openssl rand -hex 24)

CLI

Install from releases or build from source:

cd questore-cli
cargo build --release

Setup

Option 1 — interactive:

questore auth

Prompts for server URL and token, validates credentials, and saves to ~/.config/questore/config.toml.

Option 2 — environment variables:

export QUESTORE_SERVER_URL=https://your-server.fly.dev
export QUESTORE_TOKEN=your-token

Env vars take precedence over the config file.

Usage

questore set /acme/myapp/prod/DB_URL postgres://localhost
questore get /acme/myapp/prod/DB_URL
questore list /acme/myapp/prod/
questore list /acme/myapp/prod/ --values
questore delete /acme/myapp/prod/DB_URL

Output formats

questore list /acme/myapp/ --format table   # default, includes timestamps
questore list /acme/myapp/ --format env     # KEY=VALUE pairs (auto-fetches values)
questore list /acme/myapp/ --format json    # JSON array (auto-fetches values)

Docker Entrypoint

Use questore to inject secrets as environment variables at container startup.

docker-entrypoint.sh:

#!/bin/sh
set -e
export $(questore list /acme/myapp/prod/ --format env)
exec "$@"

Dockerfile:

COPY --from=questore /questore /usr/local/bin/questore
COPY docker-entrypoint.sh /docker-entrypoint.sh
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["node", "server.js"]

Set QUESTORE_SERVER_URL and QUESTORE_TOKEN as environment variables in your container runtime.

API

All secret endpoints require Authorization: Bearer <token>.

Method Path Description
GET /alive Health check (no auth)
GET /auth/verify Validate token
GET /secrets?path=/a/b Get a secret
GET /secrets?prefix=/a/ List secrets
PUT /secrets Create/update a secret
DELETE /secrets?path=/a/b Delete a secret

Permissions

Operation Admin Read
Get secret Yes Yes
List secrets Yes Yes
Create/update secret Yes No
Delete secret Yes No

License

MIT

About

A self-hosted secret store. Secrets are encrypted with AES-256-GCM and stored in SQLite.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages