encrypted secrets are hard to manage. i.e even if the actual secrets are unchanged, the final result of running decryption and encryption on a secret creates a diff. As such, maintaining more than one secret becomes cumbersome. vault-differ helps to store only the changed secrets in a git-based repository.
Secret Keeper is a tool that helps users to manage and review changes to secrets in encrypted repositories. It does this by filtering files with no secret changes from the git worktree. This makes it easier to review changes to secrets and to commit only updated secrets.
Secret Keeper offers a number of benefits, including:
go install github.com/thapabishwa/secret-keeper@latest
Inside your repository, create a new config.secret-keeper.yaml
file and modify it as needed. The following is an example configuration file for Ansible Vault and Sops.
yaml
secret_files_patterns:
# The list of file patterns to treat as secrets in the repository across all folders
- "*.tf"
- "*.password"
vault_tool: "ansible-vault"
# The args to encrypt a file in-place using the vault tool
encrypt_args:
- "encrypt"
- "--vault-password-file"
- "~/.vault-password-file"
# The args to decrypt a file in-place using the vault tool
decrypt_args:
- "decrypt"
- "--vault-password-file"
- "~/.vault-password-file"
# The args to view secret in the file using the vault tool
view_args:
- "view"
- "--vault-password-file"
- "~/.vault-password-file"
yaml
secret_files_patterns:
# The list of file patterns to treat as secrets in the repository across all folders
- "*.tf"
- "*.password"
vault_tool: "sops"
# The args to encrypt a file in-place using the vault tool
encrypt_args:
- "--encrypt"
- "--in-place"
- "--pgp"
# The args to decrypt a file in-place using the vault tool
decrypt_args:
- "--decrypt"
- "--in-place"
- "--pgp"
# The args to view secret in the file using the vault tool
view_args:
- "--decrypt"
- "--pgp"
This configuration file controls the behavior of the tool, allowing you to specify which files should be treated as secrets, enable debug mode, and set the encryption and decryption parameters.
secret-keeper init
Start using the tool
secret-keeper encrypt # encrypts all the secrets, if not already encrypted. also cleans the secrets from the git worktree
secret-keeper clean # cleans the secrets from the git worktree
secret-keeper decrypt # decrypts all the secrets, if not already decrypted.
Thanks goes to these wonderful people:
Bishwa Thapa 💻 📖 💡 🤔 🚧 📦 🔬 | Kripesh Dhakal 🐛 💻 📖 💡 🤔 📦 👀 |
This project follows the all-contributors specification. Contributions of any kind welcome!
Secret Keeper is licensed under the MIT License.