← Back to Docs
Self-Hosting
Deploy Sirr anywhere — single binary, single file database, zero runtime dependencies. Docker or bare metal.
Docker (Recommended)
Production setup with a mounted key file for the master encryption key:
# Generate the master key file once
openssl rand -hex 32 > master.key
chmod 400 master.key
docker run -d \
-p 39999:39999 \
-v ./sirr-data:/data \
-v ./master.key:/run/secrets/master.key:ro \
-e SIRR_MASTER_KEY_FILE=/run/secrets/master.key \
ghcr.io/sirrlock/sirrDevelopment setup (key auto-generated):
docker run -d -p 39999:39999 -v ./sirr-data:/data ghcr.io/sirrlock/sirrStandalone Binary
./sirrd serve
# Optionally protect writes:
SIRR_API_KEY=my-key ./sirrd serveArchitecture
CLI / Node SDK / Python SDK / .NET SDK / MCP Server
↓ HTTP (optional API key for writes)
axum REST API (Rust)
↓
redb embedded database (sirr.db)
↓
ChaCha20Poly1305 encrypted values
(key = random 32 bytes in sirr.key)- sirr.key — random 32-byte encryption key, generated on first run, stored beside
sirr.db - Per-record random 12-byte nonce; value field is encrypted, metadata is not
- Reads are public (no auth). Writes optionally protected by
SIRR_API_KEY
Environment Variables
Server
| Variable | Default | Description |
|---|---|---|
| SIRR_API_KEY | auto-generated | Protects all authenticated endpoints. Printed at startup if not set |
| SIRR_LICENSE_KEY | — | Required for >100 active secrets |
| SIRR_PORT | 39999 | HTTP listen port |
| SIRR_HOST | 0.0.0.0 | Bind address |
| SIRR_DATA_DIR | platform default | Storage directory. Docker: mount /data and set SIRR_DATA_DIR=/data |
| SIRR_CORS_ORIGINS | * (all) | Comma-separated allowed origins for management endpoints |
| SIRR_LOG_LEVEL | info | trace / debug / info / warn / error |
| SIRR_RATE_LIMIT_PER_SECOND | 10 | Per-IP request rate (steady-state) |
| SIRR_RATE_LIMIT_BURST | 30 | Per-IP burst allowance |
One of SIRR_MASTER_KEY_FILE or SIRR_MASTER_KEY is required. If both are set, the file takes precedence. File-based key delivery is recommended because environment variables are visible via docker inspect and /proc.
Key Rotation
| Variable | Description |
|---|---|
| SIRR_NEW_MASTER_KEY_FILE | Path to file containing the new master key |
| SIRR_NEW_MASTER_KEY | New master key value (prefer _FILE) |
Data Directory Defaults
| Platform | Path |
|---|---|
| Linux | ~/.local/share/sirr/ |
| macOS | ~/Library/Application Support/sirr/ |
| Windows | %APPDATA%\sirr\ |
| Docker | Mount /data and set SIRR_DATA_DIR=/data |
Need more than 100 secrets?
The free tier supports up to 100 active secrets per instance. For production workloads, get a license key at sirrlock.com.