๐Ÿ”ฎ Grimoire API

Self-hosted Vault & Configuration Manager built with ASP.NET Core 10 and SQLite.

Get started now View on GitHub

What is Grimoire?

Grimoire is a lightweight, self-hosted alternative to Azure Key Vault and Azure App Configuration. It lets you:

  • ๐Ÿ” Store secrets encrypted at rest with AES-256-GCM, versioned per environment
  • โš™๏ธ Manage configuration key-value flags scoped per application and environment
  • ๐Ÿ”‘ Issue API keys per application, hash-stored and rotatable without downtime
  • ๐Ÿงฉ Consume natively in .NET via a drop-in IConfigurationSource or typed HTTP client
  • ๐ŸŒ Support multiple environments โ€” local, staging, production, anything you need

Quick overview 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                 Management plane                    โ”‚
โ”‚  Bearer token โ†’ CRUD for apps, envs, secrets, configโ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                       โ”‚ stores encrypted at rest
                       โ–ผ
              โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
              โ”‚   SQLite (EF)   โ”‚
              โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                       โ”‚ decrypts on read
                       โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚                  Consumer plane                     โ”‚
โ”‚  X-Api-Key โ†’ read-only secrets + configuration      โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Feature highlights

๐Ÿท๏ธ Feature ๐Ÿ“ Description
Versioned secrets Every write creates a new version; old versions are kept for audit
Time-windowed access NotBefore and ExpiresAt on each secret version
Per-app API keys grm_ prefixed hex keys, PBKDF2-hashed in the database
AES-256-GCM encryption Nonce + tag + ciphertext stored as Base64; master key via HKDF
Azure-compatible consumer Response shape matches Azure Key Vault / App Config for easy migration
.NET IConfigurationSource Pull configs into builder.Configuration with one line
Docker-first Multi-stage Dockerfile, docker compose up, /health endpoint
100 tests 43 unit ยท 50 integration ยท 7 E2E (Testcontainers)

Technology stack

Layer Technology
Runtime .NET 10 / ASP.NET Core 10
Database SQLite via Entity Framework Core 10
Encryption AES-256-GCM + HKDF (System.Security.Cryptography)
Auth (management) Bearer token middleware
Auth (consumer) API key middleware + IPasswordHasher<T>
Validation FluentValidation 11
Mapping Mapster 7
Logging Serilog (console + rolling file)
API docs Swashbuckle / Swagger UI (two docs: management + consumer)
Container Docker / Docker Compose
CI/CD GitHub Actions + SonarCloud
Docs Jekyll + Just the Docs (this site)

Getting started

Head to Installation to run Grimoire in under five minutes, or read Architecture to understand how everything fits together.