Open Source · Alpha

Your API keys
stop living on
your servers.

Subumbra is a split-trust key broker. Encrypted blobs live on your infrastructure, while transient decryption authority runs in Cloudflare during live upstream handling. Cloudflare deploy authority remains part of the trust boundary.

Download on GitHub ↗ See how it works
Your application
LiteLLM · Bifrost · Open WebUI · AnythingLLM · LibreChat · n8n · any HTTP client
adapter token + key_id via subumbra-proxy :8090/t
subumbra-keys
Encrypted envelope store
ciphertext + wrapped DEK only
encrypted envelope fetch
Cloudflare Worker
Policy gate & verifier
private key in SubumbraVault DO
verified request + encrypted record
Durable Object · one per request · isolated
Ephemeral Decrypt Runtime
~100ms memory then destroyed
decrypted · streamed · TLS only
API Provider
Anthropic · OpenAI · Groq · 10+ more
zero at-rest exposure

Tested providers

Anthropic OpenAI Groq DeepSeek Gemini Mistral Cerebras OpenRouter xAI Together

Built-in adapters

LiteLLM Bifrost Open WebUI AnythingLLM LibreChat n8n

How it works

Download, configure, bootstrap, point your apps

A one-shot ./bootstrap.sh encrypts provider material and deploys enforcement to Cloudflare. After that, subumbra-keys on your side only stores ciphertext envelopes and wrapped DEKs — never usable upstream secrets at rest.

01 / Get the code
Download or clone
Grab a release tarball from GitHub Releases, or clone the repo (fork first if you plan to carry patches).
git clone https://github.com/polysemic/Subumbra.git
cd Subumbra
02 / Configure
Manifest (and optional automation)
Copy the minimal template to subumbra.yaml and edit providers, routing, and adapter names. For CI or unattended runs, copy .env.bootstrap.example to .env.bootstrap and add Cloudflare credentials plus the same secret_ref values referenced in the manifest.
cp subumbra.minimal.yaml subumbra.yaml
cp .env.bootstrap.example .env.bootstrap
03 / Bootstrap
Encrypt and deploy

Run ./bootstrap.sh on the host. Think of it as the one “setup” button: it starts the bootstrap container, deploys or updates the Worker in Cloudflare, encrypts your provider keys into the local store, and tells you when to bring the stack up — without leaving a trail of plaintext secrets in the repo as part of that run.

If you use interactive mode, you answer prompts for Cloudflare credentials and each provider secret; those answers stay in process memory for the session and are not written back into the project as cleartext.

If you already copied .env.bootstrap.example to .env.bootstrap and filled it in, the same script runs headlessly, then securely shreds that file after a successful pass so it does not linger on disk.

When the script exits cleanly, your .env contains the adapter tokens the stack expects, encrypted material is on the volume, and the core containers can start normally.

./bootstrap.sh
04 / Integrate
Transparent proxy URL + adapter token

Update your apps wherever they read provider settings — .env files, YAML or JSON config, admin UIs, or secrets in your orchestrator. Where you used to paste the real vendor key and call the provider directly, aim traffic at Subumbra and put the narrow adapter token in the credential field instead. The key_id from your manifest still goes in the URL path right after /t/ (below, anthropic_prod is only an example).

Docker apps using the subumbra network
api_base: http://subumbra-proxy:8090/t/anthropic_prod
Apps not using docker or the network
api_base: http://127.0.0.1:10199/t/anthropic_prod
Both use the adapter token
api_key: ${SUBUMBRA_TOKEN_YOUR_ADAPTER}
Use your apps as usual
Same client libraries and workflows — swap base URL and substitute the narrow adapter token from .env for the real provider secret.
Common bootstrap.sh commands
./bootstrap.sh --helpFull option list (also -h)
./bootstrap.sh --rotateOffline per-key re-encryption with the on-disk public key
./bootstrap.sh --upgradeRebuild images and recreate containers (no volume wipe)
./bootstrap.sh --provision <key_id>Targeted repair for one record
./bootstrap.sh --revoke-key <key_id>Revoke a key (optional --offline for local-only)
./bootstrap.sh --add-adapter <key_id> <adapter_id>Bind an adapter to an existing key
./bootstrap.sh --revoke-adapter <key_id> <adapter_id>Remove an adapter binding
./bootstrap.sh --publish-policy <key_id>Republish policy metadata to KV
./bootstrap.sh --push-registryPush local keys.json state to Cloudflare KV
./bootstrap.sh --list-key-idsList manifest key IDs
./bootstrap.sh --list-adaptersList distinct adapter names from the manifest
./bootstrap.sh --statusCompare manifest authority to deployed record state
./bootstrap.sh --nukeDestructive: reset vault keypairs and re-bootstrap from scratch

Features

Everything a team needs to manage secrets safely.

Transparent proxy
Drop-in sidecar at :8090/t. No app code changes — swap the base URL and use a key ID instead of a real key.
🔄
Offline key rotation
Rotate individual keys using the public key on disk. No Cloudflare interaction, no Worker redeploy, no service restart. Zero downtime.
🧩
Live provider registry
You declare providers and policy in subumbra.yaml; bootstrap publishes structured entries to Cloudflare KV so the Worker can validate every upstream target fail-closed.
📊
Management dashboard
Health status, per-key request counts, last access times, and a live structured audit log — without ever displaying key values.
🔒
Ciphertext-only at rest on your side
After bootstrap, real provider secrets are not returned to your servers for storage or display. subumbra-keys only ever persists envelopes (ciphertext + wrapped DEKs). Apps and operators use narrow adapter tokens — not the upstream key material.
🧱
Multi-adapter support
Named adapters with scoped key access and independent tokens (for example SUBUMBRA_TOKEN_LITELLM). LiteLLM, Bifrost, Open WebUI, AnythingLLM, LibreChat, n8n, and custom HTTP clients are supported via the transparent /t route.

Security model

Designed so a partial compromise yields nothing useful.

Split trust means ciphertext and wrapped DEKs on your infrastructure are useless without the matching RSA private key held in a Cloudflare Durable Object. A complete break requires defeating both sides — plus your manifest-defined adapter and policy controls at the Worker boundary. Cloudflare and your deploy credentials remain explicit trust boundaries.

  • V3 hybrid envelope (RSA-4096 + AES-256-GCM)
    Per-record DEKs are wrapped with RSA-OAEP. Payloads are AES-256-GCM with AAD subumbra:v3:<key_id>:<policy_hash>, binding ciphertext to the policy in effect at encryption time and blocking transplant or stale-policy replay.
  • Private key in SubumbraVault DO custody
    RSA private material is generated and stored in a Durable Object vault; your host only receives ciphertext envelopes, wrapped DEKs, and an exportable public key for offline rotation. Neither side alone can recover a provider secret.
  • Per-request decrypt in the vault DO
    For each allowed upstream call, the vault unwraps the DEK, decrypts the provider material, applies the configured auth semantics to the outbound HTTPS request, and discards plaintext from memory after the response path completes. This is a short-lived in-memory window — not a durable copy on your servers.
  • Adapter allowlists and capability gates
    Manifest allow.adapters binds each adapter token to specific records; policy can scope methods, paths, hosts, and capability class so a compromised chat app cannot silently pivot to unrelated APIs.
  • HMAC-signed ciphertext fetches
    subumbra-proxy requests envelopes from subumbra-keys with per-request HMAC integrity and freshness controls so replayed or forged fetches fail closed.
  • Fail-closed upstream validation
    The Worker resolves live registry metadata (from KV) for the requested record, verifies hostname, provider label, and fingerprint alignment, and rejects mismatches before unwrap or decrypt.
  • Structured audit trail (local)
    The keys service records access attempts, denials, and lifecycle events to a local SQLite-backed audit store — useful for operators without ever logging provider key material.
 Threat matrix
Server filesystem compromiseBlocked
keys.json stolenBlocked
Ciphertext replay attackBlocked
Ciphertext transplantBlocked
Network interception (TLS)Blocked
Skeleton-key adapter misuse (leaked token)Mitigated
Undetected malicious Worker deployPartial
Host OS compromisePartial

Ready to stop trusting your servers with secrets?

Self-hosted, open source, deployable in minutes. Your infrastructure. Your control. No plaintext key storage on your servers after bootstrap.

GitHub ↗ Read the docs
./bootstrap.sh