Gako documentation

Zero-knowledge secret management. The server that stores your secrets cannot read them — by design, not by promise.

Gako stores passwords, API keys, certificates, and notes encrypted end-to-end. Every cryptographic operation involving plaintext happens on the client; the server holds only opaque ciphertext, policy, and signatures. A complete compromise of the server — its database, its backups, its administrators — reveals no secret content.

Pre-release

Gako is under active development and has not been audited. Do not use it for real secrets yet. This documentation tracks the current development build rather than a tagged release.

Where to start

• End users

  Store and retrieve secrets through the web or command line.

  Web client · CLI client

• Administrators

  Self-host Gako for yourself or a team.

  Installation · Administration

• Understand the guarantee

  How the server stays unable to read your secrets.

  Zero-knowledge model

• Security posture

  What the server learns, and what Gako does not protect against.

  Security

How Gako is put together

Gako is one static server binary plus a shared cryptographic core that runs in every client:

• a server that stores and serves opaque ciphertext, policy, and signatures;
• a web client (the core compiled to WebAssembly), served by that same binary;
• a CLI client for scripting and machine use.

The same core enforces the same formats everywhere, so a secret written by one client is readable by another. See Architecture for the full picture.