keep-node turns a small Linux box into a private security appliance. Each node runs your core security services (a Vaultwarden password manager, secrets, identity) and holds only a FROST threshold key share, so no single device can decrypt your vault. Run two or more and they sync to each other, so if one goes down the others keep serving. Built for non-technical users: no seed phrases.
Part of the Keep ecosystem; the node daemon, vault, and threshold signing are reused from keep (keep-web, keep-core).
Status: MVP in progress, developed and CI-tested entirely in NixOS VMs (no hardware). Built and validated so far: Vaultwarden + keep-web on a LUKS volume gated at boot, either by a TPM seal (default) or, opt-in, by a threshold-OPRF quorum reconstructed from a live keep relay + a second holder (tested end to end with the real
keepbinary); opt-in measured boot (Lanzaboote UKI, so the seal binds a real PCR 11); and multi-node active/standby HA for the vault, running over a realnvpnencrypted mesh between nodes (nostr-vpn, boringtun userspace WireGuard, peer-authenticated) , a shared JWT signing key, Litestream WAL streaming of the SQLite DB, attachment/Send file replication, a replication-lag health signal, and crash-then-promote failover, all covered by two-node nixosTests with no relay. Still ahead: the phone holder and QR onboarding (thekeep-androidapp; tests use a keep holder as its stand-in), moving the quorum to 2-of-3, internet NAT traversal for the mesh (nvpn's Nostr discovery + the bundledwisprelay), and running on real hardware (TPM 2.0 + secure element on an SBC).
- Threshold custody: the box holds one FROST share; steal it and get nothing.
- Multi-node HA: nodes sync, so a single failure doesn't take your vault down.
- Seedless: recovery via a device quorum, no 24 words to lose.
- Open: MIT software on commodity hardware.
Requires Nix with flakes enabled.
# Run the test suite (boots a VM, no hardware needed: Vaultwarden + keep-web)
nix flake check
# Boot the VM interactively to poke at it
nix build .#checks.x86_64-linux.single-node.driverInteractive
./result/bin/nixos-test-driver --interactiveBuild a bootable USB installer and install keep-node on a real UEFI machine.
-
Build the installer ISO (requires Nix with flakes; produces a ~1.4 GB UEFI hybrid ISO):
nix build .#installer-iso # ISO at: result/iso/*.iso
No Nix? Build it in an isolated container instead:
docker run --rm --privileged -v "$PWD":/work -w /work nixos/nix \ nix --extra-experimental-features 'nix-command flakes' build .#installer-iso
-
Flash it to a USB stick. This erases the stick: replace
/dev/sdXwith the real device (verify withlsblk).sudo dd if=result/iso/*.iso of=/dev/sdX bs=4M oflag=sync status=progress sync -
Boot the target machine from the USB (UEFI; disable Secure Boot if it won't boot, the image isn't Secure-Boot-signed), then install to the internal disk:
install-keepnode /dev/sda # the target's internal disk, NOT the USBIt auto-elevates, wipes the disk, partitions UEFI, and installs offline. Type
YESto confirm. When it finishes, remove the USB and reboot. -
After first boot, console autologin and SSH are available; default login is
root/keepnode, change it immediately (passwd). Find the node's IP withip a, then open the Vaultwarden web vault from the LAN athttps://<node-ip>(self-signed cert, accept the browser warning; plain HTTP won't work because the web vault needs a secure context).
Insecure by design (bring-up only). The installer image is the
keepnode-debugprofile: it enables an opt-in, test-gradedebugAccessconfig (known root password, password SSH, open signups, self-signed TLS) so a fresh box is reachable over the LAN before the encrypted transport lands. For any real deployment, deploy the hardenednixosConfigurations.keepnodeprofile instead (debugAccess off, SSH off, signups default-deny), notkeepnode-debug.frost-gateis off in both, so Vaultwarden data sits on the plain disk with no TPM unlock yet.