Broker for Attestation, Secrets, Identity & Leases

    Basil is a small agent that gives your workloads identity, secrets, signatures, and short-lived credentials, without putting private keys in their hands. Keys stay inside a Vault-compatible backend and are used in place; Basil attests every caller from the kernel, checks a default-deny policy, and brokers the operation, not the key.

    Basil request flow: a workload calls Basil over a local Unix socket; Basil attests the caller from the kernel, checks a default-deny policy, and brokers the operation against a Vault-compatible backend where keys stay in place, recording every decision to an audit log.

    Why Basil 

    You don't want secrets on disk. Each one risks being read, leaked, or backed up by accident, and you can't easily log who used it or when. Basil removes that risk: with the default in-place backend, neither your app nor Basil ever touches the secret bytes. When a service needs to sign or decrypt, Basil asks the backend to do it and the key never leaves. When a service needs to prove who it is, Basil mints a credential that expires in minutes. And before Basil does anything, it confirms, via the operating-system kernel, exactly which process is asking.

    The result: fewer secrets that can be stolen, short-lived ones where you can't avoid them, and a clear, auditable answer to "who's asking for what, and are they allowed?"

    What's in the name 

    🛡️ Attestation

    Basil reads the caller's identity straight from the kernel (SO_PEERCRED: uid, gid, pid). No shared password, no bearer token to steal; the OS itself vouches for who's on the line.

    🔑 Secrets

    Sign, verify, encrypt, decrypt, fetch, store, rotate. Keys stay in the vault and are used in place; Basil owns AEAD nonces, so a caller can't reuse one by accident.

    🪪 Identity

    Workload identity via the open SPIFFE standard (X.509 and JWT SVIDs), so services prove who they are without credentials baked into images or config.

    ⏳ Leases

    When a raw secret won't do, Basil mints short-lived, narrowly-scoped credentials (NATS JWTs, SPIFFE tokens) that expire on their own. Authority for exactly as long as you need it.

    Start here 

    New to Basil?

    What is Basil explains the model and the threat it addresses. How it works walks the request path.

    Want to try it?

    The Quickstart boots a throwaway backend and drives the broker end to end in under five minutes.

    Running it?

    The Configuration reference and Operations guides are the operator runbook.

    Building against it?

    See the Rust client, Go client, and integration patterns.

    Basil is under active development. Pages mark deliberate gaps as roadmap; shipped capability as implemented. See the feature matrix for the full breakdown.