Open Source · Self-Hosted

Central policy.
Local runtime control.

VeilKey is a self-hosted secret and execution-boundary system for local AI and operator workflows. KeyCenter owns central policy while LocalVault runs close to each workload, keeping runtime control inside your own trust boundary.

Get Started → Read Docs
{ }runtime-fleet.live 3 PENDING
scanning...
1 KeyCenter control plane
N LocalVault runtimes
5m heartbeat cadence
rebind / rotation flows
Control Flow

Four steps to fleet control

1

Install

Bring up KeyCenter and LocalVault with validated self-hosted install flows.

./install.sh validate
2

Register

Attach node-local runtimes to KeyCenter so central policy can see and manage them.

vk node register
3

Heartbeat

Track node identity, runtime binding, and current state through explicit heartbeat flows.

localvault heartbeat
4

Rotate

Push rotation or rebind from the center, then let each node apply and report back.

vk rotate --bulk
Architecture

One center decides. Each node executes.

Central management and node-local execution stay split on purpose, so control can stay global while runtime remains local.

KC

KeyCenter

:10181

Central control plane. Owns policy, catalog, node visibility, bulk operations, and runtime decisions.

LV

LocalVault

:10180

Node-local runtime. Stores local state, heartbeats to KeyCenter, and applies execution-boundary policy close to workloads.

PX

Proxy

:18080

Outbound enforcement layer. Intercepts traffic and helps keep secrets and execution inside the intended trust boundary.

OPS

Installer + CLI

 

Operator entrypoint for install, validation, registration, inspection, update, and rollout control.

Node Registration
Each LocalVault is registered to the control plane so the center can track where it belongs.
registration · ownership
Runtime Binding
The center keeps track of which runtime each node is attached to and when it needs attention.
binding · state
Rotation Flow
Rotation stays explicit. Nodes receive the next update, apply it locally, and report back.
rotate · report
Show me the current fleet status.
KeyCenter sees 3 LocalVault runtimes.
lxc-a / key_version=8 / heartbeat ok
lxc-b / key_version=7 / rotation required
host-node / key_version=8 / runtime bound

Bulk rotate can be pushed centrally without losing node-local execution ownership.
Apply the next version to the out-of-date node.
✓ Rotation prepared. LocalVault will apply the new binding and report back on the next heartbeat.
Execution Boundary

Central view. Local execution.

VeilKey is not just secret storage. It is a self-hosted execution-boundary model where KeyCenter manages policy centrally while LocalVault keeps runtime action close to the node.

  • central registration and visibility for LocalVault nodes
  • explicit heartbeat, rotation, and rebind flows
  • bulk operations from KeyCenter without ad-hoc drift
  • self-hosted trust boundary across host, LXC, and network edge

Run secret control
inside your boundary.

Bring up KeyCenter, connect LocalVault nodes, and manage runtime state from a self-hosted control plane.

View on GitHub → Install Guide
MITGo + SQLiteKeyCenter + LocalVaultSelf-Hosted