Skip to content

equitylayer/arcanum

BranchesTags

Repository files navigation

Arcanum

Self-sovereign secrets management on-chain, sealed with fully homomorphic encryption.

Why

Secret management today means trusting AWS, GCP, or HashiCorp with your keys. One breach, one subpoena, one insider, and your secrets are exposed.

Arcanum puts secrets on Ethereum, the most neutral platform, where only you control access. FHE ensures values are encrypted at rest and in transit.

How it works

Owner                          Contract                         Grantee
  |                               |                                |
  |-- createNamespace() --------->|  generates FHE namespace key   |
  |-- setSecret(key, enc, nsEnc)->|  generates FHE per-secret key  |
  |                               |  stores dual-encrypted values  |
  |-- grantAccess(addr) --------> |  FHE.allow(key, addr)          |
  |                               |                                |
  |                               |<---- getSecret(key) -----------|
  |                               |  returns encrypted blob        |
  |                               |                                |
  |                               |<---- decrypt via CoFHE --------|
  |                               |  FHE key -> AES key -> value   |

Dual encryption: each secret is encrypted twice — once with a per-secret FHE key (for secret-level grantees) and once with the namespace FHE key (for namespace-level grantees). No loops, all grant operations are O(1).

Access control: 2 layers with expiry support:

  • Namespace-level: read all secrets in the vault
  • Per-secret: read a single secret only

Architecture

arcanum/
  contracts/    Solidity: ArcanumVault.sol
  sdk/          TypeScript SDK: client, crypto, FHE integration
  cli/          CLI tool: manage secrets from the terminal
  dapp/         React dApp: web interface (Vite + Dynamic + wagmi)

Stack

  • Contracts: Solidity, Foundry, OpenZeppelin, Fhenix CoFHE
  • Encryption: FHE (TFHE via Fhenix) + AES-256-GCM hybrid
  • dApp: React, Vite, Tailwind, Dynamic (wallet + social login)
  • SDK: TypeScript, viem, @cofhe/sdk
  • CLI: Node.js, @arcanum/sdk
  • Chains: Base Sepolia, Anvil (local dev)

Requirements

Fhenix Solidity starter (with mods)

Quick start

yarn install
./dev.sh   # local dev with anvil + mocks

CLI

Install

yarn workspace @arcanum/sdk build && yarn workspace @arcanum/cli build && npm link ./cli

This builds the SDK and CLI, then registers arcanum as a global command.

Configure

Set your wallet private key (required for all commands):

export ARCANUM_PRIVATE_KEY=0x...

Optional environment variables:

Variable Description Default
ARCANUM_CHAIN_ID Target chain ID 84532 (Base Sepolia)
ARCANUM_RPC_URL Custom RPC endpoint chain default
ARCANUM_VAULT_ADDRESS Override vault contract address auto from deployment

These can also be passed as flags (--chain-id, --rpc-url, --vault-address).

Usage

Namespaces

Action Command
Create arcanum ns create --name <name>
Get arcanum ns get --id <id>
List own arcanum ns list
List by owner arcanum ns list --owner <address>
Grant access arcanum ns grant --id <id> --account <address-or-ens> [--expires <unix-ts>]
Revoke access arcanum ns revoke --id <id> --account <address-or-ens>
List grantees arcanum ns grantees --id <id>

Secrets

Action Command
Set arcanum secret set --ns <id> --key <key> --value <value>
Get arcanum secret get --ns <id> --key <key>
Delete arcanum secret delete --ns <id> --key <key>
List keys arcanum secret list --ns <id>
Grant access arcanum secret grant --ns <id> --key <key> --account <address-or-ens> [--expires <unix-ts>]
Revoke access arcanum secret revoke --ns <id> --key <key> --account <address-or-ens>
List grantees arcanum secret grantees --ns <id> --key <key>

Global flags

  • --chain-id <id> — Target chain (84532 Base Sepolia, 31337 local Anvil)
  • --rpc-url <url> — Custom RPC endpoint
  • --vault-address <addr> — Override vault contract address
  • --json — Machine-readable JSON output

Examples

arcanum ns create --name production
arcanum secret set --ns 0 --key DB_PASSWORD --value s3cret
arcanum secret get --ns 0 --key DB_PASSWORD
arcanum ns grant --id 0 --account agent1.passivecrypto.eth
arcanum secret grant --ns 0 --key DB_PASSWORD --account 0x1234...abcd --expires 1735689600

Claude Code Skill

Arcanum ships with a Claude Code skill. Once installed, use natural language:

/arcanum create a vault called "staging" and store all vars under ARCANUM.env
/arcanum share vault 0 with agent1.passivecrypto.eth
/arcanum list all secrets in vault 0
/arcanum revoke agent2.passivecrypto.eth from vault 0

Testing

cd contracts && forge test -v

AI disclosure

We used LLMs as engineering assistants for:

  • Coding assistance and pair programming
  • Documentation and knowledge discovery
  • UX design under guidance
  • Test generation and coverage analysis
  • Security evaluation

About

ETHGlobal Cannes 2026 hackathon

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages