1The premise
An owner-operator with half a dozen to a dozen services — on a laptop, a Mac mini, EC2 instances, a server in another country — accumulates the same three problems: nobody knows what is running where, every machine holds API credentials its own way, and every SQLite database is backed up differently or not at all.
Keep answers all three with one deliberately small mechanism: give every deployment a cryptographic identity, then attach three passive capabilities to it — report status, lease secrets, deposit backups. One binary, one instance, one bucket, one key.
2The principle
Keep has no operational power over the services that use it. It does not start, stop, restart, deploy, restore, or run commands on their behalf. Each service remains independently operated and fully responsible for its own runtime behavior. Credentials and backups are opaque objects: Keep stores and returns them but never interprets their contents or uses them to act on anything.
The test for every future feature: does it merely record, store, or provide something — or does it cause another service to act? The latter stays out.
3What it holds
A registry of services and deployments
Every deployment reports in every five minutes over a signed request: health,
running revision, uptime, which secret versions it holds. Keep records only the
latest state — it is an inventory, not a monitoring platform. A deployment that
falls silent for fifteen minutes shows offline. Each service's
running revision is compared against a source revision published from outside,
yielding a plain verdict: current, different, or
unknown.
Custody of credentials
Secrets are named per service — openai, email-provider,
aws-archive — encrypted under AWS KMS with the service, name, and
version cryptographically bound to the ciphertext. Values enter through the
administrative API and leave only through deployment leases; there is no
endpoint that reads a secret back to an administrator, only a hash to verify what
was stored. Leases are soft: a freshness contract for cooperating clients, renewed
twice a day, never mistaken for revocation — only the upstream provider can truly
revoke a credential, and the design refuses to pretend otherwise.
An archive of database backups
Each service names its SQLite databases; each deployment validates and snapshots
them consistently (VACUUM INTO), gzips the snapshot, and uploads it
with a declared length and digest. Keep verifies size and checksum while streaming
the compressed bytes into a versioned S3 bucket — never spooling them to its own
disk, never looking inside. Backups are retained ninety days by default, retrievable
only by an administrator, and every download is an audit event. There is no restore
endpoint: restoration is a human decision, made with a downloaded file.
4How it speaks
Everything is an API. There is no web console, no sessions, no passwords. Two kinds of principal exist — administrators and deployments — and both authenticate the same way: mutual TLS with pinned Ed25519 keys. Each machine generates its own key and self-signed certificate; the administrator registers the public-key fingerprint; the TLS handshake itself proves identity on every request. Private keys never leave the machines that generated them.
Deployment endpoints use /self — the authenticated key already says
who is calling, so a client cannot name, or impersonate, anyone else:
PUT /v1/self/status
POST /v1/self/secrets/{name}/lease
POST /v1/self/databases/{name}/backups
GET /v1/self/databases/{name}/backups
A lease response, in its entirety:
{
"name": "openai",
"version": 7,
"issued_at": "2026-07-12T16:00:00Z",
"refresh_after": "2026-07-13T04:00:00Z",
"soft_lease_until": "2026-07-13T16:00:00Z",
"payload": { "api_key": "…" }
}
The whole apparatus is one Go binary and one of everything it needs:
Administrator (CLI, scripts) Deployed services
\ (MacBook, Mac mini, EC2, remote servers, …)
\ /
\ HTTPS + mTLS (Ed25519 client keys)
\ /
+--------------------------------+
| keep |
| single Go binary, one process |
| API + authorization |
| registry & status |
| secret delivery |
| backup streaming |
| audit log |
| local SQLite metadata DB |
+---------------+----------------+
|
+---------+---------+
| |
AWS KMS Amazon S3
secret encryption backup objects +
metadata-DB backups
5What it refuses to do
Most of Keep's design is subtraction. It provides no web interface, no user accounts, no CI/CD, no redeployment or restart of anything, no automatic credential rotation, no automated database restoration, no git-provider integrations, no metrics or log aggregation, no remote command execution of any kind. A compromise of Keep is treated, honestly, as a compromise of everything it holds — which is precisely why it holds little, does less, and audits all of it.