// the find
sourcenetwork/orbis-go
Decentralized Secrets Management Engine powered by threshold cryptography and proxy re-encryption
Orbis is a decentralized secrets management system that uses threshold cryptography (DKG + PSS) and Proxy Re-Encryption so that no single node ever holds a plaintext secret. It's aimed at permissionless, multi-party deployments where you can't trust a central authority — the opposite of Vault or AWS KMS. Think cross-org secret custody or Web3-adjacent key management.
The PRE design is genuinely clever: nodes re-encrypt shares without ever reconstructing the plaintext, so even a threshold of colluding nodes can't recover the secret during a read — only the requester can with their ephemeral private key. The PSS/proactivization epoch model addresses the unbounded-time adversary problem that most threshold schemes ignore. The package structure is interface-heavy with real alternative implementations (ElGamal PRE, AVPSS, LibP2P transport, Zanzibar/SourceHub auth) rather than a single hardcoded path. Docker Compose demos with multi-node rings and realistic seed configs make it actually runnable for evaluation.
The README says 'implementation details are in flux' and the last commit was September 2024 — this appears to be stalled or abandoned, not a project you'd adopt for production today. The authorization story delegates to SourceHub (a separate SourceNetwork product), which means you're taking a hard dependency on their ecosystem just to get policy enforcement. Test coverage is sparse: a few unit tests for crypto primitives and DKG, but no integration tests for the full ring lifecycle (DKG → store secret → PRE → recover). The BSL license in `/licenses/BSL.txt` is a commercial restriction — not open source — which would block production use in competing products.