db-keystore backend
This example runs the unified basil binary against the optional db-keystore backend and uses
the same binary as the CLI to mint a JWT, encrypt/decrypt, and sign/verify. It lives at
examples/db-keystore/ in the Basil tree.
What it shows
db-keystore stores keys in an embedded encrypted SQLite-compatible database (turso). It's a
materialize-to-use custody choice: a different, explicit tradeoff from the default in-place
Vault-compatible backend. See Backends & custody.
The default build does not include db-keystore. Basil must be compiled with
--features db-keystore, so building the example's run.sh needs the Rust toolchain the workspace
pins (Rust 1.96) installed.
The files
| File | Purpose |
|---|---|
catalog.template.json | A small catalog with one kind: "keystore" backend. |
policy.template.json | A policy template rendered for your current uid. |
db-keystore.env | Paths and key names used by the runner. |
basil-agent.toml | Generated under the workdir by run.sh. |
README.md | The example's own walkthrough. |
run.sh | The end-to-end driver. |
Running it
Run it from the repository root or from the example directory:
examples/db-keystore/run.sh
The runner:
- builds
basil-binwith thedb-keystorefeature (or uses a prebuilt binary whenBASIL_BINis exported), - creates a sealed bundle containing a generated
DbKeystoreDekwithbasil bundle create, - writes a TOML agent config,
- starts the daemon with
basil agenton a Unix socket, - waits for startup reconcile to generate the demo signing and AEAD keys, then
- exercises the broker through the
basilCLI (mint-jwt,sign/verify,encrypt/decrypt).
Runtime files are written under /tmp/basil-db-keystore-example by default. Set
BASIL_EXAMPLE_WORKDIR before running to use another directory.
Where to go next
- Backends & capabilities: how a
keystore-kind backend is declared. - 1Password: the other keystore-kind backend, set up end to end.
- Quickstart: the in-place (Vault-compatible) path for comparison.