Zerobase – encrypted zero-knowledge KV+SQL store where the server can't read your data

I built Zerobase, an encrypted database in pure Rust where the server is
architecturally blind to all stored data.

The core idea: with PrivateClient, keys are BLAKE3-hashed and values are
AES-256-GCM encrypted before any network call. The server stores ciphertext
it cannot decrypt even with root access.

What's in the box:

LSM-tree engine: WAL (AES-256-GCM + Ed25519-signed + BLAKE3-chained)
Ed25519 challenge-response auth + capability tokens with scoped revocation
Raft consensus: election, log replication, log compaction, cluster mode
SQL layer (SELECT/JOIN/WHERE/ORDER BY)
TLS 1.3 via rustls — zero OpenSSL anywhere
Hardware key derivation: machine-id + DMI + MAC → 32-byte master key
#![forbid(unsafe_code)] across all 10 crates

Status: Alpha. Crypto design and storage engine are solid, 94+ tests
passing. Raft is implemented but InstallSnapshot isn't done yet.

Looking for feedback on the security model, the Raft implementation, and
anyone who wants to try breaking it.

GitHub: https://github.com/ODev-M/ZeroBase

Zerobase – encrypted zero-knowledge KV+SQL store where the server can't read your data

Tags

Author

Stats

Published

You Might Also Like

How I Built a Counter Program in Anchor and Learned to Trust My Tests

I Replaced FileZilla and PuTTY with One Open-Source App (and Added an AI Bridge)

39 stars, my first open source contributor, and a message I keep re-reading

pip install provedex: a tamper-evident black box for your Python AI agent

The Bug Behind the Bug: Anatomy of a Three-Layer Consensus Halt

I made supply-chain security a blocking step of npm install