Private API Key Management & Zero-Knowledge Infrastructure
Pribado is a self-hostable, zero-knowledge platform for managing API keys, encrypted secrets, and private communications. Built on Oasis Sapphire for hardware-backed confidential computing.
- Store API keys (OpenAI, Anthropic, Google, etc.) encrypted
- Generate proxy keys (
priv_xxx) to use instead of exposing real keys - Automatic key rotation with webhook notifications
- Zero-knowledge: server stores encrypted blobs it cannot decrypt
- Password manager with AES-256-GCM encryption
- Keys derived from your wallet signature (never stored)
- Backup to Oasis Sapphire blockchain
- Cross-device sync via encrypted chain storage
- End-to-end encrypted real-time messaging
- No accounts, no identity tracking
- Messages exist only in transit (not stored)
- Ephemeral session keys
- Sign PDFs with digital signatures
- Anchor document hashes to Sapphire blockchain
- Immutable proof of existence and integrity
- Double-layer encryption: Wallet-derived keys + server enclave
- Hardware TEE: Oasis Sapphire confidential smart contracts
- Zero-knowledge: Server cannot read your data
- Rate limiting: IP-based spam/abuse protection
- Node.js v20+
- npm v10+
# Clone the repository
git clone https://github.com/0xrlawrence/Pribado.git
cd Pribado
# Install dependencies
npm install
# Create environment file
cp .env.local.example .env.local
# Generate encryption secret
echo "ENCLAVE_SECRET=$(openssl rand -hex 32)" >> .env.local
# Build and run
npm run build
npm startOpen http://localhost:3000 in your browser.
docker-compose up -d| Variable | Description | Required |
|---|---|---|
ENCLAVE_SECRET |
64-char hex encryption key | β Yes |
SAPPHIRE_PRIVATE_KEY |
Oasis wallet private key | β Optional |
SAPPHIRE_RPC_URL |
Oasis RPC endpoint | β Optional |
See SELF_HOSTING.md for complete deployment guide.
Manage API keys from the command line:
# Install globally
npm install -g pribado-cli
# Or use npx
npx pribado-cli
# Set up wallet
pribado init
# Add an API key
pribado keys add
# View your keys
pribado keys
# Revoke a key
pribado keys revokeSee cli/README.md for full documentation.
Pribado implements a zero-knowledge architecture:
User's Wallet Signature
β
PBKDF2 (100,000 iterations)
β
Encryption Key (exists ONLY in browser memory)
β
AES-256-GCM Encryption
β
Encrypted blob sent to server
Result: Server stores encrypted data it CANNOT decrypt.
For detailed security documentation, see SECURITY.md.
| Layer | Technology |
|---|---|
| Frontend | Next.js 14, React, TailwindCSS |
| Encryption | AES-256-GCM, PBKDF2, Argon2id |
| Blockchain | Oasis Sapphire (TEE) |
| Database | SQLite (WAL mode) |
| Transport | HTTPS/TLS 1.3 |
| Real-time | Socket.IO |
Contributions are welcome! Please read CONTRIBUTING.md first.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'feat: add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
If you find this project useful, consider supporting its development:
Mainnet access requires a minimal $1/month fee to prevent spam and support infrastructure.
This project is provided as-is for personal and educational use. Not designed for enterprise scaling. If you choose to use this in a production environment, you do so at your own risk.
For enterprise use, you are encouraged to self-host and create your own infrastructure.
MIT License - see the LICENSE file for details.
Built with β€οΈ for privacy
