A secure, enterprise-grade Key Management System (KMS) built with modern web technologies. Hermit KMS provides a RESTful API for managing encryption keys, storing secrets, and handling cryptographic operations with multi-tier security controls.
brew tap Ranaco/homebrew-hermit
brew install hermitnpm install -g @hermit-kms/cliDownload the pre-built binary for your platform from GitHub Releases:
| Platform | Binary |
|---|---|
| Linux x64 | hermit-linux-x64 |
| macOS Intel | hermit-macos-x64 |
| macOS Apple Silicon | hermit-macos-arm64 |
| Windows x64 | hermit-win-x64.exe |
# Linux / macOS — make executable and move to PATH
chmod +x hermit-linux-x64
sudo mv hermit-linux-x64 /usr/local/bin/hermit- Multi-Tier Security: Three levels of protection - authentication, vault-level passwords, and secret-level passwords
- Vault-Based Organization: Organize secrets into secure vaults with granular access control
- Version Control: Track changes to secrets with version history and commit messages
- Encryption Integration: Seamless integration with HashiCorp Vault for robust encryption
- RESTful API: Clean, documented API endpoints for all operations
- User Management: JWT-based authentication with role-based access control
- Audit Logging: Comprehensive logging for security and compliance
- TypeScript: Full type safety throughout the codebase
- Monorepo Architecture: Efficient development with shared packages using Turborepo
- Backend: Node.js, Express.js, TypeScript
- Database: PostgreSQL with Prisma ORM
- Encryption: HashiCorp Vault (Transit Engine)
- Authentication: JWT with bcrypt password hashing
- Build Tool: Turborepo for monorepo management
- Testing: Jest for unit and integration tests
- Linting: ESLint with custom configurations
- Code Quality: Prettier for formatting
This project uses a monorepo structure with the following components:
api: Main Express.js REST API serverhcv_engine: HashiCorp Vault integration engine
config-eslint: Shared ESLint configurationsconfig-typescript: Shared TypeScript configurationserror-handling: Centralized error handling utilitiesjest-presets: Jest testing configurationslogger: Isomorphic logging libraryprisma: Database schema and clientui: Shared UI components (if applicable)vault-client: HashiCorp Vault client wrapper
- Node.js 18 or higher
- Yarn package manager
- Docker (for PostgreSQL and Vault services)
- Git
For detailed setup instructions, see Quick Start Guide.
git clone <repository-url>
cd hermit
yarn install# Start PostgreSQL
docker run --name hermit-postgres \
-e POSTGRES_PASSWORD=postgres \
-e POSTGRES_DB=hermit \
-p 5432:5432 \
-d postgres:15-alpine
# Start HashiCorp Vault
docker run --name hermit-vault \
-p 8200:8200 \
-e 'VAULT_DEV_ROOT_TOKEN_ID=myroot' \
-e 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
--cap-add=IPC_LOCK \
-d hashicorp/vault:latestcd apps/api
cp .env.example .env
# Edit .env with your configurationcd packages/prisma
yarn prisma generate
yarn prisma migrate dev --name initcd ../../../
yarn build
cd apps/api
yarn devThe API will be available at http://localhost:5001.
POST /api/v1/auth/register- Register new userPOST /api/v1/auth/login- User loginPOST /api/v1/auth/refresh- Refresh access token
GET /api/v1/users/me- Get current user profile
POST /api/v1/vaults- Create a new vaultGET /api/v1/vaults- List user vaultsPUT /api/v1/vaults/:id- Update vaultDELETE /api/v1/vaults/:id- Delete vault
POST /api/v1/keys- Create encryption keyGET /api/v1/keys- List keysPOST /api/v1/keys/:id/encrypt- Encrypt dataPOST /api/v1/keys/:id/decrypt- Decrypt data
POST /api/v1/secrets- Store a secretGET /api/v1/secrets- List secrets (metadata only)POST /api/v1/secrets/:id/reveal- Reveal secret valuePUT /api/v1/secrets/:id- Update secret (new version)GET /api/v1/secrets/:id/versions- Get version historyDELETE /api/v1/secrets/:id- Delete secret
GET /health- Basic health checkGET /status- Detailed system status
All endpoints require proper authentication via JWT tokens in the Authorization header.
From the root directory:
yarn build # Build all packages
yarn dev # Start development servers
yarn lint # Run linting
yarn test # Run tests
yarn format # Format code with Prettier
yarn clean # Clean build artifactshermit/
├── apps/
│ ├── api/ # Main API server
│ └── hcv_engine/ # Vault integration
├── packages/
│ ├── config-eslint/
│ ├── config-typescript/
│ ├── error-handling/
│ ├── jest-presets/
│ ├── logger/
│ ├── prisma/
│ ├── ui/
│ └── vault-client/
├── turbo.json # Turborepo configuration
├── package.json # Root package file
└── yarn.lock
cd packages/prisma
yarn prisma studio # Open Prisma Studio
yarn prisma migrate dev # Run migrations
yarn prisma db seed # Seed databaseyarn test # Run all tests
yarn test --watch # Run tests in watch modeFor production deployment:
- Set
NODE_ENV=production - Use managed PostgreSQL and Vault services
- Configure strong JWT secrets
- Enable HTTPS with TLS
- Set up monitoring and logging
- Configure rate limiting
- Enable audit log retention
- All secrets are encrypted at rest using HashiCorp Vault
- Passwords are hashed with bcrypt
- JWT tokens have configurable expiration
- Multi-tier access control prevents unauthorized access
- Audit logs track all operations
- Rate limiting protects against abuse
See CONTRIBUTING.md for setup instructions, commit conventions, the PR process, and changeset requirements.
MIT — see LICENSE.
- Setup issues: docs/quickstart.md
- Bugs: open an issue
- Security vulnerabilities: see SECURITY.md
- API documentation with Swagger/OpenAPI
- Multi-factor authentication (MFA)
- Organization and team management
- Secret sharing and permissions
- Integration with cloud KMS providers
- Web dashboard UI
- Audit log retention policies
- Backup and disaster recovery