Architecture
What Is Arcan
Arcan is an open-source secrets management platform. It stores static secrets (key-value), generates dynamic credentials on demand via plugins, and provides policy-based access control with full audit trails. A single Go binary ships the core; all dynamic credential engines are installable plugins.
System Overview
┌──────────────────────────────────────────────────┐
│ ARCAN CORE BINARY │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │
│ │ KV Engine│ │ Auth │ │ Policy (RBAC) │ │
│ └──────────┘ └──────────┘ └──────────────────┘ │
│ ┌──────────┐ ┌──────────┐ ┌──────────────────┐ │
│ │ Audit │ │ Crypto │ │ Plugin Runtime │ │
│ └──────────┘ └──────────┘ └──────────────────┘ │
│ ┌──────────────────┐ ┌───────────────────────┐ │
│ │ Store (SQLite/PG)│ │ TLS (auto-generated) │ │
│ └──────────────────┘ └───────────────────────┘ │
└──────────────────────┬───────────────────────────┘
│ loads .arcanpkg packages
┌──────────┴──────────┐
┌────────┴─────────┐ ┌────────┴──────────┐
│ Public Registry │ │ Enterprise Registry│
│ postgres, mysql, │ │ ssh-proxy, kmip, │
│ aws, gcp, azure, │ │ break-glass, fleet │
│ redis, pki, ssh │ │ management, etc. │
└───────────────────┘ └────────────────────┘
What ships in core: KV engine, Auth, Policy, Audit, Crypto, Store, Plugin Runtime, Registry Client.
Zero dynamic engines built-in. PostgreSQL, MySQL, AWS, MongoDB, PKI, SSH CA -- all are plugins from the registry.
Deployment Modes
| Mode | Database | Master Key | Use Case |
|---|---|---|---|
| Standalone | SQLite + WAL | Local file (auto-generated) or KMS | Single node, dev, self-hosted, small teams |
| Multi-node | PostgreSQL | KMS required (AWS, GCP, Azure) | HA, multiple nodes, production at scale |
Same binary, same encryption, same handlers, same routes. Only the store backend and key source change.
Upgrade path: Set ARCAN_STORE=postgres + DATABASE_URL + KMS config, restart. Schema auto-migrates.
Security Model
- Encryption at rest: AES-256-GCM for all secrets. Key never stored in the database.
- Key hierarchy: Single master key derives all purpose-specific keys via HKDF-SHA256. See Security.
- TLS everywhere: Required in all modes. Auto-generated self-signed cert on first run.
- Plugin signing: Ed25519 signatures verified before any package loads. Unsigned = rejected.
- RBAC: Three roles (admin, member, viewer) scoped per realm. Policy middleware on every request.
Plugin System
Plugins are packages (.arcanpkg), not processes. The core loads, validates, and executes plugin code in a sandboxed runtime. Plugins never directly access the network, filesystem, or core memory -- all external access goes through host functions provided by the core (ctx.SQL, ctx.HTTP, ctx.Store, ctx.Audit).
The SDK lets authors write an engine in roughly 50 lines of Go. The workflow is: write the engine, arcan plugin pack, arcan plugin publish, and users install it. See the Plugin SDK Reference for the full guide.
The WASM runtime (via wazero) is the target for language-agnostic plugin support. Go compiled binaries serve as the bridge runtime during early development.
Integration Layer
SIEM Audit Sinks
All audit events can be streamed to external SIEM platforms in real-time via a generic Sink interface. Ten built-in integrations: Splunk, Sentinel, Elastic, CrowdStrike, Cortex, Datadog, Chronicle, Syslog, Webhook, File. See SIEM Integration.
ESO (External Secrets Operator)
Arcan exposes ESO-compatible webhook endpoints (/api/v1/eso/...) that let the Kubernetes External Secrets Operator sync secrets into K8s Secrets automatically. No custom controller or CRD required. See ESO Integration.
Docker
CLI commands for Docker Compose (.env file generation) and Docker Swarm (native secret sync). See Docker Integration.
Trust Boundaries
Every request passes through six trust boundaries:
- Auth Middleware -- validates token (401 if invalid)
- Policy Middleware -- evaluates RBAC (403 if insufficient)
- ResolveRealm -- resolves tenant (404 if not found)
- Plugin Runtime -- sandbox enforcement (only declared host functions)
- Signature Verifier -- package authenticity (reject tampered packages)
- Store Layer -- realm scoping (no cross-realm data leaks)