Product Identity
What Arcan Is
Arcan is a secrets management platform. It stores static secrets, generates dynamic credentials on demand via plugins, and provides policy-based access control with full audit trails.
What Ships in the Core Binary
The core binary contains exactly four pillars plus infrastructure:
| Pillar | Scope |
|---|---|
| KV Engine | Static secrets — set, get, list, delete, export, inject, encrypt. The only built-in engine. |
| Auth | Registration, login, API tokens, OIDC, K8s service account auth |
| Policy | RBAC — roles, bindings, capabilities, evaluator |
| Audit | Event dispatcher, SIEM sinks (webhook + syslog), audit log queries |
Infrastructure: Store (SQLite + PostgreSQL), Crypto (AES-256-GCM, key managers), Plugin Runtime (sandboxed execution), Registry Client, CLI, HTTP Server.
TLS is required in ALL modes. No exceptions. Arcan auto-generates a self-signed
certificate on first startup if none is configured. The cert is stored at ~/.arcan/tls/
and trusted locally. This ensures security-first behavior from the very first run.
Zero dynamic credential engines are built-in. PostgreSQL, MySQL, AWS, MongoDB, Transit, PKI, SSH CA — all are plugins downloaded from the registry. The core binary is small, focused, and rarely needs updating for engine-related reasons.
Deployment Modes
Only two modes. No "dev mode" — Standalone IS production for single-node deployments.
| Mode | Database | Master Key | When |
|---|---|---|---|
| Standalone | SQLite + WAL | Local file (~/.arcan/master.key, auto-generated) or KMS (optional) | Single node — development, self-hosted, small teams |
| Multi-node | PostgreSQL (required) | KMS (required — AWS, GCP, Azure) | HA — multiple nodes, production at scale |
Same binary, same TLS, same encryption, same handlers, same routes. Only the store backend and key source change.
Upgrade path: Add ARCAN_STORE=postgres + DATABASE_URL + KMS config → restart → Multi-node. Schema auto-migrates.
3 Minutes to First Secret
brew install arcan # or: curl -fsSL https://get.getarcan.dev | sh
arcan server # starts Standalone, auto-generates master key + TLS cert
arcan kv set DB_URL "postgres://user:[email protected]/myapp"
No flags, no special modes, no warnings. Standalone is production-grade from the start:
- AES-256-GCM encryption at rest with auto-generated 256-bit master key
- TLS on the API (auto-generated self-signed cert)
- SQLite with WAL mode (crash-safe)
- Full RBAC, audit, and policy — same as Multi-node
Standalone Master Key Options
| Option | Setup | Security Level |
|---|---|---|
| Auto-generated file (default) | Zero config — generated on first arcan server | Good — file at ~/.arcan/master.key with 0600 permissions |
| KMS (recommended) | arcan master-key setup --provider aws | Best — envelope encryption, key never on disk |
Both options provide AES-256-GCM encryption at rest. KMS adds envelope encryption (master key never leaves the HSM) and is recommended for any deployment handling real secrets.
Multi-node Requirements
Multi-node mode enforces:
- PostgreSQL — all nodes share the same database
- KMS — all nodes derive encryption keys from the same KMS key (no file-based master key — sharing a key file across nodes is a security risk)
- TLS — same as Standalone (always required)
Arcan refuses to start in Multi-node without both PostgreSQL and KMS configured:
✗ Multi-node mode requires KMS for the master key.
A file-based master key cannot be safely shared across nodes.
Configure KMS: arcan master-key setup --provider aws|gcp|azure
Plugin Tiers
┌─────────────────────────────────────────────┐
│ ARCAN CORE (OSS) │
│ KV · Auth · Policy · Audit · Crypto │
│ Store (SQLite/PG) · Plugin Runtime │
│ Connection Manager · Engine Executor │
└──────────────────┬──────────────────────────┘
│ loads .arcanpkg packages
┌──────────┴──────────┐
│ │
┌───────┴────────┐ ┌────────┴────────┐
│ PUBLIC REGISTRY │ │ ENTERPRISE REG │
│ (OSS, free) │ │ (activation key)│
│ │ │ │
│ postgres, mysql │ │ ssh-proxy │
│ mssql, mongodb │ │ kmip │
│ redis, aws │ │ break-glass │
│ azure, gcp │ │ mcp-server │
│ oracle, transit │ │ multi-tenant │
│ pki, ssh-ca │ │ fleet-mgmt │
│ cassandra, etc │ │ │
└─────────────────┘ └─────────────────┘
Plugin Execution Model
Plugins are packages (.arcanpkg), not processes. The core loads, validates, and executes plugin code in a sandboxed runtime. Plugins never directly access the network, filesystem, or core memory. All external access goes through host functions provided by the core (sql, http, store, audit).