Basil is a small agent that gives your workloads identity, secrets, signatures, and short-lived credentials, without putting private keys in their hands. Keys stay inside a Vault-compatible backend and are used in place; Basil attests every caller from the kernel, checks a default-deny policy, and brokers the operation, not the key.

Why Basil
You don't want secrets on disk. Each one risks being read, leaked, or backed up by accident, and you can't easily log who used it or when. Basil removes that risk: with the default in-place backend, neither your app nor Basil ever touches the secret bytes. When a service needs to sign or decrypt, Basil asks the backend to do it and the key never leaves. When a service needs to prove who it is, Basil mints a credential that expires in minutes. And before Basil does anything, it confirms, via the operating-system kernel, exactly which process is asking.
The result: fewer secrets that can be stolen, short-lived ones where you can't avoid them, and a clear, auditable answer to "who's asking for what, and are they allowed?"
What's in the name
🛡️ Attestation
Basil reads the caller's identity straight from the kernel (SO_PEERCRED: uid, gid, pid).
No shared password, no bearer token to steal; the OS itself vouches for who's on the line.
🔑 Secrets
Sign, verify, encrypt, decrypt, fetch, store, rotate. Keys stay in the vault and are used in place; Basil owns AEAD nonces, so a caller can't reuse one by accident.
🪪 Identity
Workload identity via the open SPIFFE standard (X.509 and JWT SVIDs), so services prove who they are without credentials baked into images or config.
⏳ Leases
When a raw secret won't do, Basil mints short-lived, narrowly-scoped credentials (NATS JWTs, SPIFFE tokens) that expire on their own. Authority for exactly as long as you need it.
Start here
New to Basil?
What is Basil explains the model and the threat it addresses. How it works walks the request path.
Want to try it?
The Quickstart boots a throwaway backend and drives the broker end to end in under five minutes.
Running it?
The Configuration reference and Operations guides are the operator runbook.
Building against it?
See the Rust client, Go client, and integration patterns.
Basil is under active development. Pages mark deliberate gaps as roadmap; shipped capability as implemented. See the feature matrix for the full breakdown.