From install to first secret in 3 minutes

Terminal


$ brew install arcan
==> Installing arcan...
==> arcan v0.1.0 installed

$ arcan server
Arcan server started on :8200
Admin token: arcan_s.xxxxxxxxxxxxxxxx

$ arcan kv set DATABASE_URL "postgres://user:pass@db:5432/app"
Secret stored: DATABASE_URL (version 1)

$ arcan kv get DATABASE_URL
postgres://user:pass@db:5432/app

Everything you need for secrets management

A complete platform, not just a key-value store.

KV Secrets

Versioned key-value store with TTL, metadata, and automatic rotation policies.

Dynamic Credentials

Generate short-lived database and cloud credentials on demand. Auto-revoke on expiry.

SSO Authentication

OIDC, SAML 2.0, and LDAP. Authenticate users via Okta, Azure AD, Google, and more.

RBAC

Fine-grained role-based access control. Policies, groups, and service accounts.

Audit Trail

Append-only, tamper-evident audit log. Every access, every change, every rotation.

TLS Everywhere

mTLS between nodes, auto-provisioned certificates, encrypted client connections.

Plugin System

12 official plugins. Write your own in 50 lines of Go. gRPC-based, hot-reloadable.

Secret Injection

Inject secrets into env vars, files, or Kubernetes pods. Zero code changes.

Declarative Config

Define policies, roles, and secrets as YAML. GitOps-native. Version everything.

Diagnostics

Built-in health checks, metrics endpoint, and arcan doctor for troubleshooting.

Encrypted at Rest

AES-256-GCM encryption. Seal/unseal workflow. Supports external KMS backends.

Multi-node

Raft consensus for HA. Automatic leader election, data replication, and failover.

12 official plugins

Databases, cloud providers, infrastructure, and security — all built in.

PostgreSQL

MySQL

MongoDB

Redis

AWS

Azure

GCP

SSH

Kubernetes

RabbitMQ

PKI

TOTP

Enterprise SSO out of the box

No enterprise license required. SSO is free for everyone.

OIDC

Google Workspace, Okta, Azure AD, Auth0, Keycloak

SAML 2.0

Okta, Azure AD, ADFS, OneLogin

LDAP

Active Directory, OpenLDAP, FreeIPA

Write a plugin in 50 lines of Go

The plugin SDK handles lifecycle, health checks, and gRPC transport. You write the logic.

plugin_redis.go


package main

import (
    "context"
    "github.com/redis/go-redis/v9"
    sdk "getarcan.dev/arcan/sdk/plugin"
)

type RedisPlugin struct {
    client *redis.Client
}

func (p *RedisPlugin) GenerateCredentials(ctx context.Context, req *sdk.Request) (*sdk.Credentials, error) {
    // Create a short-lived Redis user with ACL rules
    username := sdk.RandomID("arcan-")
    password := sdk.RandomPassword(32)

    p.client.Do(ctx, "ACL", "SETUSER", username,
        "on", ">"+password, "~*", "+@all")

    return &sdk.Credentials{
        Username: username,
        Password: password,
        TTL:      req.TTL,
    }, nil
}

func main() {
    sdk.Serve(&RedisPlugin{
        client: redis.NewClient(&redis.Options{Addr: "localhost:6379"}),
    })
}

Built for operators

Single binary. No JVM, no Node.js, no Python runtime. Just copy and run.

Single Binary

One binary, all platforms. Linux, macOS, Windows. amd64 and arm64. Under 30MB.

Zero Dependencies

Embedded SQLite for single-node. PostgreSQL optional for HA. No Redis, no Consul, no etcd.

Twelve-Factor Native

Configure via env vars, flags, or YAML. Runs in Docker, Kubernetes, systemd, or bare metal.

Built on Platform

Powered by opsplanetools/platform — 13 shared packages for config, crypto, logging, health, and more.

Ready to secure your secrets?

Arcan is free, open source, and Apache 2.0 licensed. Forever.

Get Started View on GitHub