Configuration

Sirr is configured entirely through environment variables. No config files, no CLI flags for server settings. Set the variables, start the binary.

Server environment variables

These variables control the Sirr server process.

  • Name
    SIRR_MASTER_KEY
    Type
    string
    Description

    The master key used for two purposes: as the bearer token for API authentication (constant-time comparison) and as the input to Argon2id key derivation for encrypting secrets. Must be set before the server starts. Use openssl rand -hex 32 to generate a strong key.

  • Name
    SIRR_LICENSE_KEY
    Type
    string
    Description

    License key for running more than 100 secrets per instance. Format: sirr_lic_<40-hex-chars>. Validated against secretdrop.app on startup. Without a valid license, the server returns 402 Payment Required when the 101st secret is pushed. Free for up to 100 secrets.

  • Name
    SIRR_PORT
    Type
    integer
    Description

    TCP port the server listens on.

  • Name
    SIRR_HOST
    Type
    string
    Description

    Network interface to bind to. Use 127.0.0.1 to restrict to localhost only.

  • Name
    SIRR_DATA_DIR
    Type
    string
    Description

    Directory for the sirr.db database and sirr.salt file. Defaults to the platform-specific data directory (see Data directories below).

  • Name
    SIRR_LOG_LEVEL
    Type
    string
    Description

    Log verbosity. One of: trace, debug, info, warn, error.

  • Name
    SIRR_WEBHOOK_SECRET
    Type
    string
    Description

    HMAC secret for signing webhook payloads. When set, every webhook delivery includes an X-Sirr-Signature header. See Webhooks.

  • Name
    SIRR_INSTANCE_ID
    Type
    string
    Description

    Unique identifier for this Sirr instance. Used for multi-instance deployments and license validation heartbeats. Auto-generated if not set.

  • Name
    SIRR_HEARTBEAT
    Type
    boolean
    Description

    Whether to send periodic heartbeats to the license validation server. Set to false to disable.

  • Name
    SIRR_AUDIT_RETENTION_DAYS
    Type
    integer
    Description

    Number of days to retain audit log entries. Entries older than this are purged during prune operations. Set to 0 to retain indefinitely.

  • Name
    SIRR_VALIDATION_URL
    Type
    string
    Description

    URL of the license validation endpoint. Override for on-premise SecretDrop deployments.

  • Name
    SIRR_VALIDATION_CACHE_SECS
    Type
    integer
    Description

    How long to cache a successful license validation response, in seconds. Reduces calls to the validation endpoint.

SIRR_MASTER_KEY is the only required variable. All others have sensible defaults. Never commit your master key to version control.

Client environment variables

The Sirr CLI and official SDKs read these variables to connect to a Sirr server.

  • Name
    SIRR_SERVER
    Type
    string
    Description

    The base URL of the Sirr server to connect to. Include the protocol (http:// or https://).

  • Name
    SIRR_TOKEN
    Type
    string
    Description

    The bearer token for authenticating API requests. This is the same value as SIRR_MASTER_KEY on the server.

You can set these in your shell profile or pass them inline:

Client configuration

export SIRR_SERVER="https://sirr.internal.example.com"
export SIRR_TOKEN="your-master-key"

# Now all CLI commands authenticate automatically
sirr push API_KEY="sk-..." --ttl 1h
sirr get API_KEY

Data directories

Sirr stores two files in its data directory: sirr.db (the encrypted database) and sirr.salt (the 32-byte salt for key derivation). The default location depends on your platform:

PlatformDefault path
Linux~/.local/share/sirr/
macOS~/Library/Application Support/sirr/
Windows%APPDATA%\sirr\

Override the default by setting SIRR_DATA_DIR:

Custom data directory

export SIRR_DATA_DIR=/opt/sirr/data
sirrd serve

Both sirr.db and sirr.salt must be preserved together. Losing sirr.salt makes existing secrets permanently unrecoverable, even with the correct master key. Back up both files.

Docker configuration

When running Sirr in Docker, mount a volume for the data directory to persist secrets across container restarts. Set SIRR_DATA_DIR=/data to point at your mounted volume.

Docker with persistent storage

docker run -d \
  --name sirrd \
  -p 39999:39999 \
  -v ./sirrd-data:/data \
  -e SIRR_MASTER_KEY="$(openssl rand -hex 32)" \
  -e SIRR_DATA_DIR=/data \
  ghcr.io/sirrvault/sirrd

Docker Compose

docker-compose.yml

services:
  sirr:
    image: ghcr.io/sirrvault/sirr
    ports:
      - "39999:39999"
    volumes:
      - sirr-data:/data
    environment:
      SIRR_MASTER_KEY: "${SIRR_MASTER_KEY}"
      SIRR_DATA_DIR: /data
      SIRR_LOG_LEVEL: info

volumes:
  sirr-data:

Production recommendations

  • Always mount a persistent volume for /data. Without it, secrets are lost when the container restarts.
  • Set SIRR_MASTER_KEY via a Docker secret or your orchestrator's secret management, not in plain text in a compose file.
  • Use SIRR_HOST=0.0.0.0 (the default) inside the container and restrict access at the network level with a reverse proxy.
  • Set SIRR_LOG_LEVEL=warn in production to reduce log noise.

Was this page helpful?