naasson /hub

Your cluster configs.
Only you can read them.

Naasson Hub is a private, end-to-end-encrypted config store. Push your weld.yml, Terraform, Helm values, secrets-without-secrets into a repo on hub.cloud.naasson.com. The server stores ciphertext only — we cannot read your files even if we wanted to.

Every repo is private. Access requires a fresh WebAuthn passkey assertion at every write. No public catalog, no anonymous browsing.

Set up your passkey My repos

End-to-end encrypted

Files are AES-GCM-encrypted in your browser before upload. The key never leaves your authenticator. A full database dump leaks only ciphertext.

Passkey-only writes

Every save requires a WebAuthn assertion from your hardware authenticator. Stolen session cookies cannot mutate state.

No master key

We have no recovery backdoor. Lose all your passkeys without an opt-in recovery passphrase and your data is mathematically gone — that's the point.

How it works

  1. Sign in at cloud.naasson.com (OAuth — Yandex / Google / GitHub).
  2. Visit /enroll/ and register a WebAuthn passkey. The browser derives your vault key from a PRF assertion against this credential.
  3. Create a repo. The browser generates a per-repo content key, encrypts it under your vault key, and ships the wrapped envelope to the server.
  4. Add files. They're encrypted client-side before the PUT. The server stores opaque bytes.
  5. Point weldctl at hub://{your-id}/{slug}. The CLI does its own passkey ceremony to fetch + decrypt.