Show HN: Kvass, a personal key-value store

Nice project!<p>I&#x27;m wondering why you choose to implement your own cryptography routines instead of using something standard like TLS. Apparently your `DecryptData` and `Encrypt` methods are vulnerable to replay attacks due to a lack of (EC)DH-style key exchange.

You stole my idea! I love it. As a dev who spends a big chunk of their day in the shell, this is the kind of tool that I was destined to create myself, but never did thanks to lack of time, laziness, life, etc.

I’m wondering what sorts of use-cases people would use a personal key-value store for. Maybe it’s just a useful foundation for building other tools on top of, like a password manager.

In case anyone is wondering about the name, it&#x27;s a Slavic fermented bread drink that&#x27;s much less alcoholic than beer (and commercially canned versions are near zero alcohol). It&#x27;s one of my favorite chilled summer drinks, and you should be able to find it in Slavic stores in the US as well.

What does it do better than Skate? Or what additional things does it do, url and qr codes?

Cool. Curious why you chose sqlite instead of something like badger [<a href="https:&#x2F;&#x2F;github.com&#x2F;dgraph-io&#x2F;badger" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;dgraph-io&#x2F;badger</a>] given you expose it as a key value database, which badger is.

Cool project! Congrats on launching ! What is the benefit compared to reddit or CF workers KV?

I like the idea. What surprised me was the custom network protocol. I expected it using ssh to work with the remote instance.

The built-in server and remote support is pretty nice! API seems solid, and I dig the QR codes.

i just have a directory in git and store everything in files<p>can anyone help explain what i&#x27;d use this for?

What is the benefit compared to the private use of Redis? Redis is under BSD licence and continues to be very actively maintained and used.

uh oh leave that drink alone mate.

now all that is missing is a FUSE driver

I don&#x27;t know much about the other solutions that people are mentioning in the comments, but I have to say... this looks elegant! Great job!

I have so many questions about this. Much of the architecture seems off to me. I like the concept, but it doesn&#x27;t seem as secure as it could be.<p>For the README, I&#x27;d hope to find a bit more information about the way data is stored and transmitted. For example, this seems to just be a SQLite database with values in fields? Is there a separate encryption key for the database itself? Otherwise anyone with access to the file would be able to see all data stored?<p>The encryption key is only used to encrypt data in transit, but not at rest? And then you&#x27;re encrypting the full JSON blob instead of only the values? This seems risky to me.<p>What is the purpose of the ProcessID? It is randomly generated and stored in the database (thus used by all clients too). So, I&#x27;m not sure what this is for? I see it&#x27;s used to resolve conflicts, but these should probably be given out by the server?<p>Do the clients cache data locally? It looks like you&#x27;re basically syncing from the server for every request. You&#x27;re already making a round trip to the server for a request anyway, so why not keep state only on the server? I can understand an offline-only mode, but this would require a significantly more robust sync mechanism. If this was the goal, I&#x27;d love to see this discussed more in the README too.<p>Finally, I don&#x27;t understand why you&#x27;re using plain HTTP (no TLS) for communication b&#x2F;w client and server. I didn&#x27;t see any authn&#x2F;authz in the requests. You&#x27;re also unmarshalling random data from the request w&#x2F;o confirming that it is valid first. This seems risky to me and could potentially crash the server if I were to send it random data.<p>This would have been a great use-case for a simple (non-HTTP&#x2F;JSON) TCP server:<p><pre><code> &gt;&gt;&gt; AUTHTOKEN xxx &gt;&gt;&gt; SET $KEY $LEN $SHA1 &gt;&gt;&gt; &lt;bytes&gt; &lt;&lt;&lt; OK &gt;&gt;&gt; AUTHTOKEN xxx &gt;&gt;&gt; GET $KEY &lt;&lt;&lt; $LEN $SHA1 &lt;&lt;&lt; &lt;bytes&gt; </code></pre> Custom protocols have their own security issues, but it can also be easier to see where there are potential issues (like unmarshalling unvalidated blobs). If you wrap something like the above in TLS-PSK, you&#x27;re set. If you want to use encryption for a session (after you authenticate), that&#x27;s possible too, but you&#x27;re at risk of effectively re-creating TLS.

Can you also drink it?

Hack Mama

For personal use, I’ve had good luck storing things in files. Then when I need those those things, I read the files.

What&#x27;s the use case for this (besides being a nice learning project)?<p>I didn&#x27;t see this on the readme.

I hope this feeling is me catching onto the joke in the name rather than being a first responder

Somewhat unrelated: Can one buy kvass starter in the United States, and if so, what is it called?<p>I&#x27;m not interested in bottled kvass, it never tastes like the real thing and you don&#x27;t get to watch kvass explosions in the bottle as it is being made

how about:<p><pre><code> echo &quot;value&quot; &gt; ${home}&#x2F;.db&#x2F;key cat ${home}&#x2F;.db&#x2F;key &gt; value scp -r ...</code></pre>

Wait, this is just a toy project.

Not trolling or trying to downplay anybody here, but honestly - how “kvass” (readed as “k-v-ass” given it is a “key-value” storage) is a good name?..